Dec
30, 2016, 10.13 AM IST
By Ramki Gaddipati,
The
recent demonetisation move in India has pushed us to move to a cash-free
economy. This shift,
which would have otherwise taken three years, is now expected to take just
three to six months. Digital payments have also recently
hit record transactions.
With
digital payments witnessing record transactions and more and more people
joining the
cashless
bandwagon, there is an obvious question on everyone's mind: are digital
transactions safe?
The pace of the development and integration of new technologies is much faster
than the pace
at which security protocols and defence mechanisms are implemented. This is
what makes these
technologies vulnerable to cyber-fraud. For example, 3.2 million card details
were stolen in October
in India - making the theft India's biggest data breach.
Members
of India's new digital economy need to be aware of the vulnerabilities in the
digital
and mobile payment systems. Here are the key ways in which
digital payments can be breached.
1. Key Logger: Just like tap dancers are strongly aware of how and when
their tap shoes strike the
floor, a key logger is a software that records the key-strokes made by the user
on the keyboard.
Static passwords like 3D PINs or banking passwords, that are entered regularly,
are vulnerable
to cyber-fraud through a key logger, as it can record regularly typed in
passwords without
the user's knowledge. Using a dynamic PIN is a smart solution to the breach
caused by key
loggers. It is also beneficial to use apps that have an in-app secure swipe
instead of the ones that
require the keying in of an OTP.
2. Social Engineering: Those calls that seem to come from the
bank might not really be from the bank
itself. Credit and debit cards are used at many online merchants and
marketplaces. Even if these
online transaction use OTPs and CVVs, someone may call the cardholder and
pretend to be a
representative of the bank, acting as if an online transaction needs to be
confirmed, and subsequently
ask the cardholder to share the the received OTP. When the OTP is disclosed by the
cardholder, a fraudulent transaction can take place.
3. OTP Pop-Ups: As One Time Passwords have a limited time
validity (in minutes), they are
believed
to be secure. Although OTPs mostly appear as pop-up notifications on mobile
phones.These
pop-up messages are clearly visible, even if the mobile phone is locked. This
means that the
OTP can be easily accessed without the permission of the user, making the
transaction open to
being breached.
4. OTP Accessibility: Although an OTP is essential, the medium
through which it is delivered is of
utmost importance. Most of the times, a One Time Password is sent as an SMS.
The problem with
this is that many apps can read SMS messages. This means that if an app is
malicious it can misuse
the OTP that has been received. Therefore, users should be aware of what
privileges they give
to the apps on their smartphone and also look at reviews and number of
downloads of the apps
they choose.
5. EDC Machines: Even with a second-step PIN verification,
swiping a card on an EDC
machine
is not as safe as it seems. EDC machines are susceptible to breach and a
compromised machine
can copy the details of the cards when swiped. Most debit and credit cards have
a static PIN,
and even these PINs can be stored in compromised EDC machines. A breach like
this can give
easy access to the personal data of cardholders to fraudulent groups. A dynamic
PIN for physical
credit or debit cards could be a strong safeguard against compromised EDC
machines.
As
there are many threats and vulnerabilities with digital payment systems, we
need a system that
goes much further than regular security standards. This digital payment system
should have more
than two layers of security so that it is virtually impenetrable. The system
should be planned
in such a way that each layer both independently stands by itself and also
smartly integrates
with the overall security structure. From requiring a password just to access
the digital payment
system to not needing to key in a PIN, this system should have multiple
security checkpoints
so that only the authorised user can successfully, yet easily, make payments
through it.
The author is Co-founder and CTO, Zeta, a fin-tech start-up.
(Disclaimer: This column does not necessarily reflect the opinion
of The Economic Times, it's an independent view)
No comments:
Post a Comment