Security in digital payments: urgent need for focus
Originally published in CXOtoday.com, 6 July 2017
The unprecedented push for cashless payments has enabled the growth of several FinTech and digital payments platforms alike. However, while e-wallets have gained traction and the utility of credit cards and net-banking has increased, the need for cyber-security has also received mainstream attention.
In the case of offline thefts, the damages are subject to the amount of cash the person is carrying at that point in time. However, in digital transactions, the damages can be huge and oftentimes, irrevocable. For instance, when a group of hackers breached the security of British Mobile Company, they had at their disposal, the private information of over six million users. The stolen data was then used for purchasing mobile accessories, the expenses of which were borne by the unsuspecting users. In addition to covert sales, the stolen data has been leveraged for identity thefts and extortion.
Given such high implications, when it comes to online transactions, is India safe?
Back in October 2016, barely a few days before the demonetization announcement that would go on to rock the nation, a malware had infected the network of Hitachi ATMs. The attack had compromised the sanctity of data and allowed hackers to access login credentials and engage in covert transactions. The company could only do damage control by asking its users to terminate using ATMs and issued fresh cards.
Currently, private players, as a first step, have started building skill sets for risk management and anti-fraud solution inside their organizations. For instance, most of the leading e-wallets and payment gateways carry the certification of PCI DSS (Payment Card Industry Data Security Standard) 2.0. Furthermore, following a 128-bit encryption has also become an industry norm. However, while these standards lay the foundation for securing digital payments, together, the trifecta of Government Bodies, Private Players and Users need to synergize and ensure the security of online transactions. The automation and updation of the database of fraudsters on real time basis is the need of the hour. Manual processes have to be done away with, as the number of online transactions exceed 200 million transactions per month for the mature players in the country.
Just like the nationwide demonetization drive, we today need a crusade to spread awareness on cyber-security. The Reserve Bank of India has already made it mandatory for the FinTech and Payments Solution Providers to authenticate online transactions with 2-way SMS authentication. Further showing its commitment towards securing online transaction, in the Union Budget of 2017, the Government of India had announced setting up CERT (Computer Emergency Response Team) in order safeguard online transactions and thwart possible chances of cyber-attacks and hacks. In near future, the government may also issue strict policies against online counterfeiting and guidelines for cyber-security, along with penalizing companies that don’t match to the security and hence, put the sensitive information of their users to jeopardy.
Online payment gateway companies, particularly the payment aggregators of multiple payment methods of credit cards and debit cards, online banking, UPI, wallets etc. should build their own proprietary risk management and antifraud solutions. They should innovate and not outsource this critical solution to third parties in US or UK or other parts of the world entirely.
This will help sharpen the monitoring and tracking of online fraudulent behaviour and decrease the blocked rate of transactions, thereby increasing the revenue for the online sellers. Online sellers should be intimated at the earliest following any unusual activity on their accounts. Besides, we may use interactive online seller dashboard for communication . The government may join in the campaign by imposing an incentive and disincentive framework.
Users of today are perhaps the weakest link in the chain of cyber security. As per the study conducted by IBM and the Pnemon Institute in 2015, India ended up topping the charts for the country facing the most targeted data breaches. Furthermore, the latest Norton Cyber Security Insights Report reveals that Indians would not adhere to the right procedures and modules imperative for securing online transactions. Furthermore, Indians are the leading victims of Ransomware attacks and yet, for some reason, they cannot stop opening links coming from unidentified or seemingly unauthentic sources.
This behaviour pattern definitely needs to change. Users must always transact through secure and authentic websites and apps. While the security of websites is reflected via the padlock icon of the ‘s’ suffixed to HTTP in the beginning of the URL, apps must only be downloaded from authentic sources. Besides, the importance of having an anti-virus and cyber-security app in their mobile and PCs cannot be overstated. These apps not only keep a tab on malware, ransomware and phishing app but also block the activity of any other app extracting details, while a user is transacting via net-banking, e-wallets or other such digital payments platforms.
Lastly, it is paramount for users to keep their emails secured. While India is increasingly going digital, emails become simply a single gateway for every bit of sensitive user information. Most users maintain a single email account for multiple purposes. Hence, by simply cracking that one email account, hackers would be able to access every detail, from their account number and password to their passport number, age and more. Periodically changing the password or keeping different accounts with different service providers for different activities would make emails more secured.