By Nishant Arora
With more and more people logging into e-wallets or m-wallets for daily payments, the target for hackers has increased exponentially, experts warn, suggesting that upgraded security is the only way to safeguard millions of first-time users and small and medium businesses from losing their hard-earned money.
The government's demonetisation drive and the resultant cash crunch have led to digital wallet firms witnessing an unprecedented rise in their usage and popularity -- with people using them for everything from buying groceries and vegetables to local travel.
The country's largest m-wallet, Paytm, registered over seven million transactions worth Rs 1.2 billion in a day after the demonetisation drive began as millions of consumers and merchants across the country started opting for mobile payments on its platform for the first time.
Another mobile wallet major, MobiKwik, which launched MobiKwik 'Lite' late last month, registered over two million downloads within the first two days of the 'Lite' offer. Global payment solutions provider PayU observed a hike in average daily transactions from Rs 1.2 million to Rs 2.5 million post-demonetisation.
Cyber experts emphasise that as the numbers swell, newer forms of vulnerabilities will be exposed in the payment gateways.
"Unarguably, with the digitisation drive comes the responsibility to safeguard against cyber pickpockets (cyber criminals) who will be on the prowl against unsuspecting consumers. Considering that cashless payments will become both a necessity and a huge convenience, it is imperative that security becomes embedded by design rather than a bolt add-on from mobile-wallet payment firms," Anand Ramamoorthy, Managing Director, South Asia, Intel Security, told IANS.
This essentially means that data security infrastructure along with customer-redressal mechanisms will have to be well thought of and the purview of IT laws for cyber crimes will have to be expanded to include mobile-wallet payment systems.
This is how hackers can attack your money in e-wallets: Create multiple fake accounts to collect money in small amounts; cheat people who are digital novices by psychological manipulation; and breach servers and steal data.
According to Vidit Baxi, Director (Technology) at the IT risk assessment and digital security services provider Lucideus, e-wallets are at greater risk than ever as users grow and hackers identify digital payment gateways as a lucrative opportunity.
"That being said, let's understand that even the largest banks on the planet have been digitally hacked, so there is nothing like 100 per cent security. It's all about managing the risk and minimising it to whatever extent possible. It is clear that the benefits of digital payments far outweigh the risks but, at the same time, such risks have to be continuously monitored and managed," Baxi told IANS.
The time is ripe for e-wallet firms to adopt the latest technologies to safeguard their gateways before a major cyber attack hits them -- and the users' confidence in moving forward digitally.
According to Upasana Taku, Co-founder, MobiKwik, the company takes security seriously and puts it at the centre of all user interactions with the platform.
"Mobikwik is PCI-DSS and ISO 27001 certified, takes care of the various information security measures to ensure the security of application and protect its business from emerging threats and frauds. For us, security is not just a state, it's a process that is applied in every new feature or new product development. With great power comes great responsibility, and we take that responsibility very seriously," Taku told IANS.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle credit cards, while ISO 27001 is the international standard that describes best practice for an information security management system (ISMS).
PayU India says it has invested Rs 50 crore for the protection of data shared on its platform.
"At the end of the day, we are dealing with people's money, hence privacy and making data secure is paramount. Our payment gateway is PCI-DSS compliant, thus standing at par with industry standards of data security and integrity. We could seamlessly accommodate the hike [in user numbers] because technology has always been one of our strengths," B. Amrish Rau, CEO, PayU India, told IANS.
"As the cash holdings in bank accounts have grown manifold, it is extremely important that we put the best security practices in place while investing efforts in educating people as they are gradually picking up pace on their cashless journey," added Bhavik Vasa, Chief Growth Officer, ItzCash.
E-wallet companies must ensure that the user credentials are tokenised, cryptographic and authenticated before the transaction takes place.
"Since most of the user data is stored in Cloud, the service providers should ensure that their servers are well protected with standardised firewall and server security," noted Amit Nath, Head of Asia Pacific (Corporate Business) at F-Secure, a European cyber security provider.
Masking user details on the mobile while transacting will be an added advantage. "Educating people to use a technology, a good antivirus on mobile, Wi-fi protection, anti-malware and banking protection on mobile devices gives an added protection to the users," Nath told IANS.
"Since people with less digital experience like small-time street vendors are thronging e-wallets, providing proper training and frequent messages to customers to make them aware of fraud techniques is the need of the hour," added Ankush Johar, CEO, BugsBounty.com.
Establishing if a cardholder is shopping from a recognised payment device can help merchants and issuers distinguish between good and bad transactions.
"It is simply no longer acceptable for the time-of-detection to reaction to containment to take hours or even minutes. To accelerate this process and keep up with the enormous volume of sophisticated threats, security architectures and processes must evolve and be automated," Ramamoorthy told IANS.
(Nishant Arora can be contacted at firstname.lastname@example.org)