How Payment Companies and Banks are Fighting Cybercrime
As digital adoption increases, the important question to ask is how safe is it to transact online?
In less than three years since the launch of Unified Payment Interface (UPI), transactions through this payment method have grown at a scorching pace, with the number hitting a landmark one billion in October. Around 100 million people have started using this India-made technology, which countries around the world are looking to adopt. Not just UPI, the volume of total retail cashless transactions has increased by nearly 124 per cent from FY 2016- 17 to FY 2018-19, as per the Reserve Bank of India (RBI) Annual Report 2018-19. The adoption of electronic means of financial transactions is music to ears as India has predominantly been a cash-heavy economy.
But here’s the dark side.
Earlier this year, private data of millions of users of Truecaller—with 500+ million downloads—was reportedly sold on the dark web, putting at risk money of all those Indian users who use the app for UPI-based transactions.
In the light of the most recent Pegasus spyware attack on WhatsApp, RBI did not allow the social messaging app to roll out its much awaited UPI-based payment service, as it was deemed to put at risk the security of the financial data of the app’s users.
The 2019 annual performance against customer expectation (PACE) report by FIS, a financial services technology company, showed the share of online payment victims in India doubled to 37 per cent compared with the number in its 2018 report. The report points out that with electronic payments going up, incidents of online frauds and data breach have also seen a jump.
As digital adoption increases, the question to ask is how safe is it to transact online?
The onus of protecting users’ data lies with online merchants and payments companies, say experts. “Financial service providers should embed security measures thoroughly to reduce data leakage. Payment companies and wallets cannot shrug off their responsibility by just reporting a data breach but show due diligence in preventing the dissemination of a contaminant,” says Pavan Duggal, Advocate, Supreme Court, specializing in cyberlaw.
Vishing Frauds on The Rise
Hundreds and thousands of digital payment users lose their money frequently due to social engineering frauds. These involve human interaction wherein the conman manipulates the victim into breaking security procedures or divulge sensitive information related to bank accounts, credit/debit cards or login credentials.
Some 150-odd cases related to UPI fraud alone were registered between July and September this year, as per a news report. The modus operandi of fraudsters in most of these cases was same wherein the conmen got the victims to reveal their UPI-related information and stole money from their UPI-linked accounts.
Given the manual nature of social engineering frauds, tackling them is not an easy task, say industry experts. “The scammer calls the victim posing as a bank official or a customer care executive and weaves a false story to extract sensitive information related to bank details. There is technically no way to detect such scams,” shares Harshil Mathur, Co-founder and CEO, Razorpay. Puneet Kapoor, Senior Executive Vice President, Kotak Mahindra Bank concurs. “The biggest fraud in the banking industry is perpetrated through vishing calls. Fraudsters create make-believe situations and many gullible consumers fall for the narrative,” he says.
Vishing industry is not restricted to randomly targeting consumers through direct phone calls. “With newer technologies, the social engineering frauds have adapted to using malicious apps, sniffing tools etc to convince the victim to part with sensitive information,” says Anuj Bhansali, Head of Risk and Fraud, PhonePe.
Hackers have started tampering with the customer service coordinates of companies on Google to con consumers into calling fake numbers that belong to them. “To raise a complaint with a service provider, most consumers’ basic disposition is to look for the customer service number of that company on Google search engine. Fraudsters are leveraging this consumer behavior to con them by directing them to a fake number which belongs to the fraudster,” says Kapoor.
Related Read: How Phishing Affects Small Businesses
A recent Kaspersky Lab report cited that 90 per cent of data breaches happen due to human error. This calls for the pressing need to increase awareness among consumers. “It is critical that regulators, the government and payment companies take cyber security awareness seriously as leakage of confidential data have led to massive cyber crimes,” says Rahul Tyagi, Co-founder, Lucideus, a cyber security platform.
Related Read: Cyber Security - What Can We Do?
Payments companies, banks and regulators have been taking preventive measures to fight frauds.
To contain data leakage during the time of transaction, payment gateways make the customer enter his/her card details on the gateway page instead of the merchant’s. “We have an extensive security services system built on top of our payment gateway that ensures that the card number does not get leaked during the transaction,” explains Mathur of Razorpay.
Razorpay regularly goes through certifications and audits to ensure that there are no vulnerabilities in their system. They run an interesting bounty programme wherein if a professional hacker reports a weakness in their system, he/she is rewarded with a lucrative sum.
“We have our own internal testers who continuously try to break our system to check for vulnerabilities. But the bounty programmes are quite affective as professional hackers from all over the world attack our system to detect bugs that they report back to us. It is better than a malicious hacker exploiting that bug and committing a cyber crime,” Mathur explains.
Banks and payments companies also use algorithms and artificial intelligence (AI) to monitor customer behaviour during transactions to detect any possible red flags.
At the transactional risk level, all banks have fraud risk management (FRM) system that is equipped to read pattern of transactions. Explaining how reading transaction patterns help prevents frauds, Kapoor says, “In FRMs, certain thresholds are defined. If transactions breach those thresholds, then the bank raises an alert or even proactively declines the transaction under special circumstances.”
Banks use empirical data, fraud trends and industry updates from card companies— Visa and MasterCard—to create rules in FRM systems.
Vipin Surelia, Head—Risk Services, Visa South Asia, explains that Visa harnesses data from the billions of transactions that happen every day on the payment network for passive risk assessment and shares it with its bank partners and subscribed merchants. “We collect multiple pieces of information from a transaction to create a risk score, which is then passed on to the customer’s financial institution who decide whether to raise an alert or not.”
Fintech companies also use behavioural biometrics to get an accurate view of user identity. Razorpay has recently acquired Third Watch, an AI-based company that monitors customer’s activities during a transaction to check if it’s a genuine customer or a fraud.
“A typical customer follows a pattern of first keying in the card number followed by expiry date followed by the CVV. A hacker on the other hand uses a script that makes their responses quick. AI checks this pattern along with 100 more data points related to the IP address, device being used and the email ID, among others, to detect suspicious users,” says Mathur.
Time to Fight Fraud Proactively
Tyagi of Lucideus believes the initiatives for cyber security have largely been preventive so far rather than having a proactive approach. “Organizations need to adopt risk quantification platforms which can give them a clear picture of their entire security posture through a proactive approach and in real-time. Such an approach will help them make informed decisions on cybersecurity,” he says.
Duggal adds that India lacks a dedicated cyber security law, which makes it difficult to enforce security norms. “Though the IT Act contains some important parameters, it does not have strict guidelines for payment companies to address the concerns related to data protection,” he says.
If not tackled hands on, online payment frauds may prove to be the Achilles heel for India’s aspiration to become a ‘cash-lite’ country as articulated in the recently released ‘Payment and Settlement Systems in India: Vision 2019–2021’ by RBI.