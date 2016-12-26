The country is embracing fast the idea of cashless economy. As currency is not easily available post-demonetisation, the general public is left with no choice but to go digital. However, one should not miss the point that making an informed decision and being forced to go for electronic payments are as different as chalk and cheese



When one makes an informed choice, he is aware of the good and bad of it, the benefits and pitfalls and is prepared to handle both. When people with limited knowledge about the pitfalls are pushed into digital transactions, they easily fall prey to cyber criminals.



Taking a largely illiterate and digitally-ignorant population in a mad rush towards digitisation can do more harm than good as it overlooks the security needs at different levels — individual, banks, cards, computer and mobile.



Since the demonetistion of high value notes in November, mobile wallet transactions have grown by over 1,000 per cent. Several new mobile wallet companies have mushroomed. In the first week of demonetistion itself, the country witnessed a jump of 60 per cent in debit card usage. The government is doling out several promotional offers to make people transact more digitally. However, there is no regulatory agency to ensure that these wallets are following adequate security systems. There is no clarity as to how people will be reimbursed in the event of a massive digital fraud or a cyber attack. While cyber attacks are growing, convictions have been negligible. Police and the legal system should be empowered enough to deal with cyber crimes and attacks.



Even the digitally-advanced countries are still grappling with hacking menace. Google wallet, Apple Pay, Starbucks app, CurrentC and Samsung’s LoopPay are among the global payment solutions, which had recently faced hacking of user data. Closer home, it was just a few months ago a theft involving 3.2 million debit card data of leading banks like HDFC, SBI, ICICI and Yes Bank was detected. Before looking at whether the banks, credit card and debit providers, mobile wallets and all such fintech companies are fully prepared to ensure security of the hard earned money, let us find out how prepared is the Indian population to handle the risks.



The internet penetration in India is 36 per cent and only 9 per cent of the rural population has access to the internet on their mobile phones. The number of people, who are aware and can handle the digital risks, is much smaller. The task of educating this digitally-illiterate population is huge and making them alert of the risks associated with digital payments is a bohemian task.



Even the digitally-literate Indians were found to be the most naive in terms of giving away sensitive data. Intel Security’s “Digital Detox: Unplugging on Vacation” report found that the Indians lead their global counterparts in willingly sharing personal information such as credit card number or log in name/password when travelling. More than 36 per cent travelling Indians shared their personal data even when they realise that this will make them vulnerable, which was highest amongst the 14 countries surveyed.



“Demonetisation has accelerated us towards a cashless economy. This surge in digital payments brings cyber security in the limelight. India is a mobile first economy and hence, now more than ever, it’s imperative that consumers are vigilant about security in the online domain,” said Anand Ramamoorthy, MD, South Asia, Intel Security. “The move towards demonetisation will introduce many Indians to online transactions and regardless of their prior online experience, security must be given the paramount importance,” he added.



People disclosing their net-banking user ids and passwords to random callers who pretend to be bank employees are very common. Older people often fall prey to such financial security risks.



“As many as 50 per cent of mobile phone owners do not lock their devices. If the devices are misplaced or lost, this puts them in a very high risk of losing important data, especially when people have started storing their payment credentials on phone,” said Khushroo Panthaky, director, Grant Thornton Advisory. Many people do not even understand that their phones and computers have been hacked or attacked.



A closer look at these hand phone and web-based modes of transactions show that the security features are not foolproof to safeguard the users’ hard-earned money.



“On a scale of 1 to 10, digital modes of payments would easily score a high 8 for convenience and ease. But on the same scale they would notch a dismal 4 for security,” finds Rohit Gadia of Entrepreneurs’ Organisation. Despite the low penetration of the internet compared to developed markets, India is in the sixth position in terms of web application attacks.



None of the digital payments, including Aadhar-linked transactions, mobile wallets and card-based e-commerce transactions in India are secure enough. Experts find that it is easy to install a malware or a rogue app in a mobile that can steal payment credentials, hidden card readers and fingerprint cloning devices make bank accounts vulnerable in Aadhar-linked transactions and transactions without one-time passwords put e-commerce purchases insecure.



“No technology is and will be 100 per cent hack-proof,” says Rahul Mohanraj, a Chennai-based ethical hacker. Working out the card number, expiry date and security code of any credit or debit card can take as little as six seconds and uses nothing more than guesswork.



The mobile wallets in India use software-only security model, which is not secure enough. “In that attackers deceive victims or convince them to install mobile malware or rogue apps that can steal user payment details stored within mobile's operating system. Attackers can also gain super-user permissions of victim’s cell phone and steal user PIN or passcodes. Over the recent past the mobile payment systems of Google wallet, Apple Pay, Venmo, CurrentC and LoopPay were compromised,” Hardware level security is more secure than the ones used in Indian mobile wallets,’ said Mohammed Ali, a researcher of Newcastle University’s School of Computing Science in UK.



Chipsetmaker Qualcomm, too, had recently said that mobile wallets in India are not using hardware security systems. They run on Android mode and the password of the users can be stolen. The fingerprints can also be captured.



In case of mobile wallets, the popular method of hacking is man-in-the middle. “There are a lot of android apps that



land up in a phone with or without our knowledge. These also include rogue apps. The app gets the phone connected to a proxy server and all the transactions to the mobile



wallet will be routed through the proxy server. These apps can also be used to read all the incoming messages or calls and can be diverted to the hacker,” said Mohanraj.



The e-commerce transactions in India are not fully secure. One time password is considered one of the safest security features currently available for such digital transactions. Apart from a few leading ones, most of the e-commerce sites in India do not use one-time passwords during transacting, said Ali, who was part of the team that studied the security preparedness of Indian e-commerce firms.



However, even this OTP is not as secure as it is being imagined to be. A cyber criminal can easily get all the payment credentials, including OTP if he manages to get a duplicate SIM.



Getting hold of an OTP is not a difficult task for a hacker. A hacker can set up a fake mobile base station, which will be used to intercept phone calls and read text messages. If the OTP is small in character size, say a four-digit OTP, a site which does not have “rate limiting” or blocking of transaction after two or three failed attempts, a hacker can continuously send random OTP suggestions to crack it.



A hacker can create a fake page of the e-commerce or payment site and send a mail to the user informing him of an attractive offer. A less alert user will go to site following the link in the mail and make a transaction. With this, the hacker will not just receive the transaction amount, all the payment credentials too will be at his perusal.



Among the hacking fraternity, another popular method is click-jacking. Pages, which do not have an ‘x-frame header’ can be easily hacked by this. The hacker will hide a fake page over the transaction page. However, the fake page will display a “pay” button. Once the user presses the pay button, the hacker will receive all the transaction details.



The government has recently asked Visa, MasterCard and RuPay to work together to produce a unified India QR code. With smart phones and QR codes, you can store you banking account information into your phone, so instead of carrying a bunch of cards around with you, all you will need is your cell phone. You will be able to go into a store, pick out an item, and instantly scan it's barcode to check out. Hackers can generate a QR code with fake details replicating that of the retailer one and can replace the original QR code with this, added Mohanraj. The government is pushing Aadhar-linked transactions to largely cover the less-aware rural masses as it is less complicated in terms of usage. Aadhaar-enabled transactions are card-less and pin-less. This would enable Android phone users to digitally transact using their Aadhaar number and fingerprint/iris authentication.



“Generally all the bank accounts will be linked to the Aadhar number. There is no digital security in Aadhar card, which means an attacker only needs to know a number to access all the user bank accounts. A merchant can easily dupe the customers if he keeps one card reader on the desk and a few others underneath the desk. After a purchase, the merchant can deduct money from all the bank accounts linked to the Aadhar with the help of the hidden card readers. Cloning of fingerprints is not a very difficult task,’ finds Ali.



As per Mohanraj, several banks are using outdated security systems. This was evident by the data theft a few months back. There are several dos and don’ts a user has to keep in mind. It is not safe to make transactions when a phone is connected to public wifi. Some of the travel sites and e-commerce sites provide an option to store credit/debit card number, expiry date, bank name etc at the payment gateway. This can lead to theft of the data if the phone is misplaced or the personal computer is accessed by others. Storing these details in the phone itself should be avoided. Credit card statements and bank statements have to be checked at regular intervals to understand whether there has been any incidence of unintended payments.



“Some of the websites and mobile wallets subscribe to bug-bounty programmes, which are comparatively safe. While choosing e-wallets one can check this,” said Mohanraj.



Mobile wallets and other mobile apps should be downloaded only from authentic websites. These wallets should be logged off every time a transaction is complete. Providing antivirus protection for mobile devices as well as personal computers is a must if they are used for financial transactions.



The most important thing to remember is “hackers are more intelligent than common people”. One can mitigate the risk, at least the financial part of it, by opting for cyber insurance. Some of the mobile wallets have already tied up with insurance providers.



“Digitalisation is the way forward. It could be a company having just a website or one that does all its transactions digitally. As the digital presence grows, vulnerability to cyber attack too grows. With increasing awareness about vulnerability of attack, we are seeing increased adoption for cyber insurance,” said Mukesh Kumar, executive director, HDFC ERGO General Insurance.



sangeethag@mydigitalfc.com



