The recent demonetisation move in India has pushed us to move to a cash-free economy. This shift, which would have otherwise taken three years, is now expected to take just three to six months. Digital payments have also recently hit record transactions.
With digital payments witnessing record transactions and more and more people joining the cashless bandwagon, there is an obvious question on everyone's mind: are digital transactions safe? The pace of the development and integration of new technologies is much faster than the pace at which security protocols and defence mechanisms are implemented. This is what makes these technologies vulnerable to cyber-fraud. For example, 3.2 million card details were stolen in October in India - making the theft India's biggest data breach.
Members of India's new digital economy need to be aware of the vulnerabilities in the digital and mobile payment systems. Here are the key ways in which digital payments can be breached.
- Key Logger: Just like tap dancers are strongly aware of how and when their tap shoes strike the floor, a key logger is a software that records the key-strokes made by the user on the keyboard. Static passwords like 3D PINs or banking passwords, that are entered regularly, are vulnerable to cyber-fraud through a key logger, as it can record regularly typed in passwords without the user's knowledge. Using a dynamic PIN is a smart solution to the breach caused by key loggers. It is also beneficial to use apps that have an in-app secure swipe instead of the ones that require the keying in of an OTP.
- Social Engineering: Those calls that seem to come from the bank might not really be from the bank itself. Credit and debit cards are used at many online merchants and marketplaces. Even if these online transaction use OTPs and CVVs, someone may call the cardholder and pretend to be a representative of the bank, acting as if an online transaction needs to be confirmed, and subsequently ask the cardholder to share the the received OTP. When the OTP is disclosed by the cardholder, a fraudulent transaction can take place.
- OTP Pop-Ups: As One Time Passwords have limited time validity (in minutes), they are believed to be secure. Although OTPs mostly appear as pop-up notifications on mobile phones. These pop-up messages are clearly visible, even if the mobile phone is locked. This means that the OTP can be easily accessed without the permission of the user, making the transaction open to being breached.
- OTP Accessibility: Although an OTP is essential, the medium through which it is delivered is of utmost importance. Most of the times, a One Time Password is sent as an SMS. The problem with this is that many apps can read SMS messages. This means that if an app is malicious it can misuse the OTP that has been received. Therefore, users should be aware of what privileges they give to the apps on their smartphone and also look at reviews and number of downloads of the apps they choose.
- EDC Machines: Even with a second-step PIN verification, swiping a card on an EDC machine is not as safe as it seems. EDC machines are susceptible to breach and a compromised machine can copy the details of the cards when swiped. Most debit and credit cards have a static PIN, and even these PINs can be stored in compromised EDC machines. A breach like this can give easy access to the personal data of cardholders to fraudulent groups. A dynamic PIN for physical credit or debit cards could be a strong safeguard against compromised EDC machines.
As there are many threats and vulnerabilities with digital payment systems, we need a system that goes much further than regular security standards. This digital payment system should have more than two layers of security so that it is virtually impenetrable. The system should be planned in such a way that each layer both independently stands by itself and also smartly integrates with the overall security structure. From requiring a password just to access the digital payment system to not needing to key in a PIN, this system should have multiple security checkpoints so that only the authorised user can successfully, yet easily, make payments through it.