On 8th of November, Prime Minister Narendra Modi surprised everyone with the sudden move of “demonetization”. A day after, one of the leading e-wallet service provider in India, Paytm issued a full-page advertisement in the print media thanking the government for taking the “boldest decision in the financial history of India”. The dawn of cashless economy had finally arrived in India with demonetization causing cash crunch in the country and compelling consumers to shift to alternate modes of transaction that includes e-wallets like Paytm, MobiKwik and FreeCharge in addition to net banking and debit and credit cards. Since then, there has been an exponential increase in the use of digital wallets by the consumers spanning across the length and breadth of the country as much as they have even over taken the credit and debit cards. As per a statement given by Paytm Vice-President, the company is now witnessing 7 million daily transactions worth Rs 1.2 billion which is more than the daily transaction value of credit and debit cards put together. The question that now begets attention is “How safe are these e-wallets?”
What does the law say?
At present, the digital wallets are regulated by RBI’s Master Circular on Pre-Paid Payment Instruments. The RBI circular provides a framework for the regulation and supervision of the entities operating the e-wallets in the country. In other words, the Master Circular lays down the eligibility criteria and conditions like minimum capital requirements for starting the business, cap on the amount of money people can hold in their e-wallet accounts, anti-money laundering provisions and dispute settlement and grievance redressal mechanism for the consumers. The circular does not lay down any minimum standards of security which these service providers need to adhere. In the “Fraud prevention and Security Standards” section, the circular says “The pre-paid payment instrument issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.” In the absence of any minimum-security standards, millions of consumers are now exposed to cybercrime. Given the lack of cyber awareness among people and the hackers world-wide getting attracted to Indian financial system after the demonetization move, the risk of digital fraud and people losing their hard-earned money to lone-wolf hackers has increased exponentially. The circular leaves the consumers further vulnerable as it does not establish any liability in case of fraud that occurs due to poor security measures.
Security Standards followed by e-wallet service providers
The sudden spurt in the use of e-wallets has compelled the service providers to suo-moto improve their security standards. In the absence of any legally mandated minimum security standards, each e-wallet service provider is coming up with its own feature. MobiKwik has come out with a finger print sensor for iPhones, Paytm with an app password. In addition to these, two factor authentication has been introduced by Paytm and MobiKwik while FreeCharge uses its own patented technology named “On the Go Pin”. But is this much security enough?
- Unlike their foreign counterparts like AliPay in China, Samsung Pay in the U.S and Fido in Japan, none of the e-wallets in India are using hardware based security layer which makes these apps prone to malware and subsequently less secure.
- The e-wallet apps have no pre-requisites for installation on your smartphone. As much as they are adhering to the demand of the business, they have a responsibility to ensure maximum security for the consumers. If a user has a jailbroken phone with rogue third-party app installed in the smartphone, the malware can easily steal the sensitive information at the time of onboarding, by storing the keystrokes on the phone.
- Unlike credit cards, the e-wallets service providers are custodians of public money because of their pre-paid nature. In such a scenario, it becomes even more important for these service providers to have an incident response plan and a crisis management team for responding to any breach or security incident. However, my research over the internet tells me none of them have any such mechanisms in place. At the best, MobiKwik has a fraud detection team that continuously monitors for frauds and alerts the consumer about suspicious transactions. But given the volume of transactions being handled by these e-wallets an incident response plan at par with global standards needs to be there in place which is least likely to happen unless liability for fraud and breach is not fixed by the government.
- E-wallets are also vulnerable to the insider threat, a threat in which a malicious actor has an authorized access to the systems and networks of the organization. In the absence of any policy to tackle insider threat, the e-wallets have been rendered highly unsafe. It would be important to mention that the forensic report on Bangladesh cyber heist has concluded that some employees were responsible for $81 million cyber theft. They directly participated in the crime by deliberately exposing their systems to the hackers. Additionally, the lack of cyber awareness among employees working in these companies also puts the consumer at high risk. Hackers can easily steal employee login credentials by using sophisticated techniques like spear phishing thereby gaining access to their network servers.
- E-wallets are also exposed to the “third-party” vendor risk. In India, you can find many e-wallet services integrated with other services like food delivery and cabs. Example, Uber has Paytm service integrated with it. We need to take learning from the Target incident, one of the largest breaches in the U.S in which credit card details of 40 million customers were stolen. The hackers got access to the Target servers by phishing out the access credentials of a third-party vendor. If not directly, the hackers can also deploy the same method to breach into the servers of e-wallets in India.
- Finally, the lack of security culture is a concern for all organizations in India and e-wallets service providers are no exception to that. Unless, a proper security culture with CISOs and CIOs hired to inculcate cyber hygiene, devise incident response plans, check security architecture and promote board room discussions on security isn’t brought into place, the security architecture of organizations will continue to be merely a stop-gap arrangement and the consumer will continue to remain at risk.