Digital Payments Need Cyber Security

 

 

 

Most financial institutions are being overconfident about their legacy security deployments with infrequent audits being carried out to access vulnerability of their networks to such innovative hacking efforts. The need of the hour is for organizations to constantly monitor their network for breaches with selflearning methods to detect threats which automatically activate enterprise immune system technology that fights back quickly.

 

Cybercrimes are cheap to carry out even by “lone-wolf” attackers but require a large pool of expensive resources to prevent. Centralized data makes for easier access and vulnerability to attacks. With cloud services leading to growth of new digital spaces that provide access to large data from around the world, explosive growth of IoT ecosystem and use of connected devices for digital payments, the security of the network has been thrown open to its weakest link in the security chain: the end-user whose PC, mobile phone and even access to public Wi-Fi and ATMs can be a means of access to any network becomes the point of vulnerability. Such end- user’s information is gathered from their web usage pattern and even social sites, a new threat is emerging on user’s authentication. Well-researched, sophisticated cyberattacks are now based on the use of machine learning techniques. As an example, attackers are increasingly using IoT devices and artificial intelligence for ransomware, phishing and DDoS attacks. Seemingly harmless IoT devices provide a gateway to attackers – particularly, IoT devices which cannot receive software updates to plug manufacturing flaws such as security cameras and smart TVs which can be hacked and remotely controlled by a Botnet army. Growing use of BYOD using cloud-based infrastructure and connected data is another area prone to cyber-attacks.

 

In such a situation, when it is harder for end-users to manage security of devices, it has become necessary for service providers to create virtual security services all the way to the end-points to prevent attacks. The above scenario throws up the following questions:

 

Who should be responsible for security of digital infrastructure where the vulnerabilities of a device or platform can affect the entire ecosystem?

 

Responsibility for law and order is a state subject. Internet aims to provide access to every user across the globe to its network but cyber security is a private service mostly provide at the national level in a few countries. How can public and private sectors work effectively across a global digital network for public benefit of the world at large?

 

How can access from a low-end device (both low in security and cost) provide affordable and secure access to the Internet?

 

While the above technology issues need to be addressed proactively by players in the industry, there are two other aspects that need urgent looking into by the government to lay solid foundations for secure digital transactions.

 

Even when India is now pushing for large-scale adoption of online transactions, its institutions have not kept pace with the demands of a rapidlyevolving digital space. It has still not defined dedicated laws for digital payments under a modernized IT Act with suitable modifications of the Indian Penal Code to prevent, failing which convict a malafide hacker. Cybersecurity parameters for digital payments are still kept largely under the ambit of the Information Technology (IT) Act. While the Reserve Bank of India (RBI) usually sets security and privacy standards for banks in the country, for fintech companies (which include mobile wallet operators), security compliance falls under Section 43A of the IT Act which lacks enforcement mechanism wherein such transactions become contractual agreements that can be repudiated. In fact, many ISPs and telcos do not comply with Section 43A! Lack of privacy laws and security laws puts the burden on the consumer to prove that he has been wronged. There are no legal mechanisms defined for dispute settlements on account of digital payments.

 

With Aadhaar as the key to user’s identification, Indian Government is moving towards defining security by biometric identity. Without a well-defined privacy law and strong data protection regulations (as stated above), our march towards digital economy is not secure. This is in complete contrast to the work being done in developed economies where security comes through anonymity and use of encryption to secure user’s privacy. With new threats emerging on the use of biometrics as also to secure user’s privacy, it is necessary to conceal each user’s Aadhaar details during any transaction through use of Blockchain and other technologies, resulting in generation of a temporary unique transaction ID which gets extinguished on the completion of each transaction; usage of pair of PKI on each leg of transaction; and usage of minimum 128-bit encryption for each transaction.

 

Implementing above suggestions will take time. In the interim, till the government goes about defining industry-specific laws which lay the rules to be followed for mobile payments, to generate consumer’s trust and confidence in a rapidly-growing digital payment environment, it is necessary for all fintech industry players to come together to nationally define their own security standards for digital payments and grievance redressal.