In wake of the National Cyber Security Coordinator’s startling revelation of 1.5 lakh online transactions being compromised every day, digital payment companies in India are walking on thin ice when it comes to protecting user data.n On February 13, the National Cyber Security Coordinator, Gulshan Rai revealed that 1.5 lakh, out of the 230 crore online transactions, are compromised every day in India. Interestingly, the Computer Emergency Response Team (CERT) pegs that number at a modest–but no less alarming–40,054, in 2017 alone. CSO India talks to industry leaders in the digital payments space to get a read on what’s putting digital wallets at risk, and why the existing authentication process is simply not enough to keep fraudulent transactions at bay. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Why OTP authentication cannot be relied upon “Wallets are generally very insecure. The general security practices that people have for wallets are fraught with so many loopholes,” says Ramki Gaddipati, co-founder, and CTO of Zeta India. “The most common reason for data being compromised stems from the lack of awareness among users, which results in them divulging account details and OTPs via fake emails, SMSes, or over phone calls from people pretending to be bank officials.” Harshil Mathur, CEO and co-founder, Razorpay Elaborating his point, he explains that most wallet transactions are limited to One Time Password (OTP) as an authentication mechanism. Now over 90 percent of the populace using digital payments use Android devices, and there are numerous fraudulent apps that users may download based on some promotion. Now, these apps have access to the user’s SMS. It’s no big deal to trigger an SMS for a user and read it, in an Android environment. So anyone relying on OTP-based authentication is susceptible to this vulnerability. Harshil Mathur, CEO and co-founder of Razorpay shares this viewpoint saying that the most common reason for data being compromised stems from the lack of awareness among users, which results in them divulging account details and OTPs via fake emails, SMSes, or over phone calls from people pretending to be bank officials. He points out that there have been cases where customers’ cards were used for offshore transactions, because there is no OTP authentication in place, and all that’s required is the users’ card details. “RBI has received a lot of complaints, there have been pro-active measures that have taken place and sometimes the money has been reversed, but most of the fraudsters were able to get away with the money,” says Mathur. Vimal Gupta, VP–server engineering, IT and InfoSec at MobiKwik, in an earlier interaction with CIO India had stated that the current challenge is to enable more security features to handle malicious traffic. The other factor to be considered is application optimization, to deal with a smoother flow of traffic. The KYC conundrum On October 11 last year, RBI mandated digital payment companies to ensure KYC compliance by the end of the year, and the deadline was later revised to Feb’ 28, 2018. The mandate also states that customers who haven’t updated KYC details can store no more than Rs 10,000 in their wallets. Highlighting the importance of KYC, Gaddipati says: “The information digital wallet providers have about their customers is next to nothing. And from a customer experience point of view, they can’t really deny users access to their money. With no KYC data, digital wallet companies have no information with which the user can be authenticated.” He adds that the recent Aadhaar breach has unimaginable consequences on the general payment ecosystem. This is because the security questions customers are asked by digital payment companies are generic ones like DoB, father’s name, or PIN code. Now all this information became readily available after the Aadhaar data exposure. “I can say that 100 percent of digital payment systems today remain compromised,” says Gaddipati. He explains that if a customer calls and says that his/her information has been compromised, there’s no recourse for digital payment companies to act on that information. Throwing light on emerging technologies being leveraged to bolster security, Mathur cites the example of how RBI is ensuring that banks adopt NFC-based cards on Europay, MasterCard and Visa (EMV) standard. As they have stronger security standards, you cannot use a random OTP in someone else’s device, and this is one way of curbing fraud. With respect to the blockchain, he foresees a lot of banks deploying the technology but is unlikely to be seen in the digital payments system. However, he believes blockchain can definitely be deployed in the remittances system to reduce costs and operate in real time. Related content opinion The changing face of cybersecurity threats in 2023 Cybersecurity has always been a cat-and-mouse game, but the mice keep getting bigger and are becoming increasingly harder to hunt. By Dipti Parmar Sep 29, 2023 8 mins Cybercrime Security brandpost Should finance organizations bank on Generative AI? Finance and banking organizations are looking at generative AI to support employees and customers across a range of text and numerically-based use cases. By Jay Limbasiya, Global AI, Analytics, & Data Management Business Development, Unstructured Data Solutions, Dell Technologies Sep 29, 2023 5 mins Artificial Intelligence brandpost Embrace the Generative AI revolution: a guide to integrating Generative AI into your operations The CTO of SAP shares his experiences and learnings to provide actionable insights on navigating the GenAI revolution. By Juergen Mueller Sep 29, 2023 4 mins Artificial Intelligence feature 10 most in-demand generative AI skills Gen AI is booming, and companies are scrambling to fill skills gaps by hiring freelancers to make the most of the technology. These are the 10 most sought-after generative AI skills on the market right now. By Sarah K. White Sep 29, 2023 8 mins Hiring Generative AI IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe