 "Winning with digital wallets")
Just days after the “surgical strike” on Pakistan and days before the government announced its demonetisation move urging Indians to shift to a cashless economy run on internet and plastic cards, India reported its biggest internet banking security breach.
Over 3 million debit cards and their pin numbers, including those powered by Mastercard and Visa, were stolen by hackers. The Ministry of Finance reported that Rs 2.5 lakh was stolen from the accounts of Indians. Multiple public and private banks were affected. The nature of the attack was such that any individual using these cards across India would have been vulnerable to her money being stolen.
With Finance Minister Arun Jaitley and his secretary Shaktikanta Das propagating mobile wallets, internet banking and other forms of cashless transactions using the internet, Indians need to be a worried lot. That’s because India’s banking system and private mobile wallets are highly vulnerable to such attacks that put the hard earned money of people at risk.
A Deloitte report in 2015 estimated that internet banking frauds constituted 59% of the cyber-crimes in India.
ATM fraud, internet banking, debit and credit card cloning made up for 42% of the total internet related banking fraud. The report noted, “Cyberattacks on financial institutions are both increasingly diverse - and therefore unpredictable - and are also here to stay. Many of these continue to be driven by financial gain. The impact of cybercrime is not just financial, but also on the organization’s reputation and customer confidence.”
Indians are banking more through the internet than ever. According to Reserve Bank of India (RBI) data, 85% of the all reported transactions at banks in 2015-16 were through the internet in volume terms. In 2014-15, this figure stood at 75%. In pure value terms, 95% of all transactions in banks were done electronically. The National Electronic Funds Transfer (NEFT) facility recorded 1.2 billion transactions worth $1.3 trillion in 2015-16. The number of transactions as compared to last year had increased by almost 250 million.
More From This Section
A report by PricewaterhouseCoopers (PwC) drafted along with ASSOCHAM in June 2015 stated that 65% of the fraud cases reported by Indian banks were related to internet banking and debit cards. These include debit card skimming by installation of cameras and skimming machines in ATMs to steal data. In August this year, four Romanian nationals employed this technique in Kerala and duped hundreds of customers of their hard earned money. The CBI has issued a red corner notice against three of them after the police managed to nab only one of them. Virus attacks, identity thefts and phishing continue to pose a threat with Indians still unaware about protective measures.
The report also stated that the number of Indians using mobile phones has shot up drastically. In 2016, the number of mobile phone users in India crossed one billion. With the government urging more people to use mobile wallets, the number of people transacting through their mobiles could also go up drastically.
The PwC report stated that the number of Indians shopping through their mobiles had increased by 800% in 2013. The report noted that Indians were susceptible to various types of frauds while using mobile banking and mobile wallets. These observations also apply to wallets like Paytm which have been aggressively promoted after the government announced its demonetization measures.
The report further noted that mobile wallets were prone to misuse which could lead to unauthorized deductions from the wallet of a customer without her
Recent reports suggest that their security measures were so lax that even amateur criminals were able to misuse them. For instance, in January this year, the Bengaluru police busted a network that stole money from the mobile wallets of Axis Bank and State Bank of India (SBI). Most of these mobile wallets do not even have an auto log off facility. That means unauthorized access to a person’s phone could lead to money being siphoned off from the wallet.
According to the report, mobile banking too is highly risky in India. Many banks appoint a third party vendor to develop and manage mobile banking applications. This gives the vendor access to critical bank account information of the customer which could be misused by the vendor’s rogue employees. Moreover, the threats of sim card swaps and malware affecting mobile phones still remains a grim reality.
“Mobile payments in India are still not governed by any legal provisions. These payments are mostly contractual obligations. With lax cyber security, the weakest link in this chain is the bank customer” says Pavan Duggal, a Delhi based cyber law expert.
The Indian Computer Emergency Team (CERTIN) under the Ministry of Electronics and Information Technology reported almost 10000 malicious virus attacks in 2015. This did not include malware attacks on mobile phones but included only desktop systems. This was more than double the cases it handled in 2014. A decade back the total number of cases reported to CERTIN were just 24. But CERTIN only handles cases that are given to it by the government. A majority of the cases are not referred to CERTIN and a large number of them go unreported. It is also well known that organisations like CERTIN and National Technical Research Organisation (NTRO), charged with India’s cyber security, are not able to find or retain talent due to the ministry’s bureaucratic style of functioning.
What further compounds the problem is the limited immunity that bank customers have in case they become victims of online fraud. The RBI issued a circular in August this year suggesting new liability norms for customers who become victims of online financial fraud. The RBI’s new notification is worrisome for two reasons. Firstly, the RBI mentions that when a customer suffers a loss due to her negligence, she shall bear the entire loss until she reports the unauthorised transaction to the bank. This could be problematic because in many online frauds the customer would not even receive a notification for her transaction and could be unaware about it for a long time. Moreover, illiterates and those with limited knowledge of banking facilities in rural areas wouldn’t be able to even identify an online fraud.
Secondly, the RBI limited the liability of the bank in case of breach by a third party. If a customer fails to report an unauthorized online transaction on his account to the bank within seven working days, then she is entitled to no more than Rs 5000 as compensation irrespective of her loss. In case the customer takes more than seven days to report the fraud, then the bank is under no liability to compensate her.
With the government nudging people to go cashless, millions of Indians still remain vulnerable to online theft of their hard money over which they may have little control.
