In light of the recent breach of debit cards of major banks and a sudden proliferation of new technological features by financial services firms to facilitate digital payments, in the backdrop of government’s stress for a cashless economy creates a vulnerable zone for cyber breach. This particularly attains significance, considering the squeezed timelines in which some of these features have been rolled out.
Several financial technology companies and banks, both private and public, have introduced a slew of features to facilitate digital payments in the backdrop of the Centre withdrawing 86 per cent of the currency (by value terms) from circulation.
Wallet firms Paytm and MobiKwik launched services to enable merchants using their platform to accept payments from customers not using these wallets on November 23 and November 28, respectively. Where Paytm launched an app-based point of sale terminal, MobiKwik launched a stripped-down version of its app called MobiKwik Lite, which is a payment gateway.
Another financial technology company Razorpay launched eCOD feature on November 15, allowing its merchants to collect payments from their customers, at the time of delivery, via non-cash payment modes like Unified Payments Interface (UPI) or digital wallets. A delivery person can also generate an instant payment link at the time of delivery that enables the customer to pay via credit, debit card or net-banking.
“During shortened time frame for launch of products there is a high likelihood of all processes not being followed and some of the steps may be overlooked. In this, there is a possibility of appropriate testing for cybersecurity not being performed which may expose the product to various forms of attack. There is not much precedence of this being observed in banking products but in non-banking products this has been witnessed,” said Atul Gupta, partner, IT Advisory, KPMG.
At the launch of Paytm’s service, CEO Vijay Shekhar Sharma had explained how the idea of having the app-based point of sale terminal for India was conceived earlier, but kept it on the backburner. “But as soon as we saw demonetisation, we said let’s just start working on it,” Sharma said, adding that the firm started working on the feature less than a week before its launch.
Only a day after its launch, Paytm rolled back the service citing concerns around customer data and privacy, and said that it has decided to add additional certifications and features before making it available to merchants.
MobiKwik was also quick to develop its new service, through which a merchant could have a link sent to his customer for making the payment. “We didn’t believe that we’re serving the entire population of this country even before November 8. It was in the back of our mind, but we had not started any work … but as soon as it happened we tried to train people with MobiKwik but we saw that this is not going to scale. So, we put together a very small team; in ten days, they’ve put this together and have got the app to launch,” MobiKwik CEO Bipin Preet Singh said.
Apart from these two, several other cases of big banks getting on-board with the National Payments Corporation of India’s UPI platform post November 8 also indicates the sense of urgency with which matters regarding increasing traffic for digital payments have been addressed.
Nilesh Jain, country manager (India and SAARC), Trend Micro said that with the increasing number of online transactions, there was a possibility of companies missing out on basic security functionality in the hurry of developing new applications and going back to the customers. “This is why in the last couple of months, we have seen some of the largest banks of the country getting compromised — either their ATM cards, debit cards, or servers in some cases,” he said.
“There could always be a risk when someone designs an application, which is not completely foolproof.
There could be vulnerabilities from a source-code perspective if it was done in a haste, it does not have security protocols because people jump on the bandwagon on account of the mad-rush,” said Amit Nath, cybersecurity firm F-Secure’s head of Asia-Pacific (corporate business).
Nath said that while in the shorter term there were possibilities of people transacting digitally being conned, the risks were imminent for the longer term too. “Someone may have hacked your system and been there for as long as eight-nine months before he decides to make a move. We call this breach-blindness. Now because of demonetisation, a lot of people and organisations may not get affected immediately but nine months later,” he said.
Cybersecurity companies, on back of these red flags, have also witnessed increased demand from their clients to ensure any vulnerabilities are addressed before any breach occurs.