The revolutionary move of the demonetization of currency notes of 500 and 1000 announced by Prime Minister Narendra Modi on the eve of 8th November has left general masses in a state of ambivalence. Since then debates on its pros and cons are sparking all over the country. It has risen the hope in the mind of millions of Indians for a better, digital and a black money free India. However, it engendered concern for cyber security experts who are still not confident enough on threats following the move.
Due to the shortage of new currency notes in the market and the large queues at ATMs/banks, people are shifting to online payments for convenience and for time saving. As a result of which, the digital payment industry has witnessed exponential hike.The electronic wallet like Paytm, Freecharge, MobiKwik, PayU and others are dealing with gigantic demands which have increased by many folds within a month and is still growing. Every service providing company is now trying to set up their own payment system or integrating with existing global online wallets or payment gateways.
Post demonetization there is a rapid increase in digitally transferring of funds, online transactions, storing money in form of virtual currency, thereby rising concern for both users and bank. The technology is still developing, with many undiscovered attack vectors. Further, the expanding industry of digital payment and wallet is attracting the interest of cybercriminals, who are ready to take advantage of any loophole. Attackers can exploit technical or developmental issues, buggy software, unpatched applications, zero-day vulnerabilities or anything other.
The online payment industry is expanding and also the incidences of fraudulent misuse of payment networks and data theft. Now, with demonetization, additional money flow is being directed over the internet in the form of digital transactions. This is an attraction for hackers who are bound to be attracted towards India thus increasing the risk of more people losing their money through Point of Sale (POS) and digital wallet breaches, fraud, and scams. The cashless economy will lead to the accounting of all the transactions, digital life, but the big question arises "Is India prepared for the cashless economy ?".
The risk of cyber frauds in India is further accompanied by the lack of cyber security awareness. Near around 70% of the population still, resides in rural areas and lack cyber-literacy and awareness. Even the urban folks are not in a good situation. People are always the weakest link in the security chain, and the security is as strong as the weakest link. A major part of hacking is not technical skills, but the skill of tricking human beings, social engineering fooling people to reveal their sensitive data. Banks are working to improve their security by implementing two-factor authentication but attackers can still dupe people through techniques like IVR phishing, scam calls, and spear phishing, Distributed guessing attack. Government and financial institutions need to invest in regular consumer cyber security awareness and ensure that consumers are aware of new fraud methods.
The Recent incident that happened in the month of October involving massive financial data breach has raised a question on Indian cyber security, where 3.2 million Debit Cards details reportedly were stolen from multiple banks and financial platforms. Out of which 2.6 Million were powered by Visa or Mastercard and remaining 600,000 work on top of Indian domestic card scheme RuPay platform. The attack struck some of the India's biggest banks including State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis, thereafter the users were advised to change their ATM PIN immediately and avoid using ATMs of other banks.
A Malware was used by hackers to compromise the Hitachi Payment Services platform, which is used to power Indian ATM, point-of-sale (PoS) machines, and other financial transactions and stole details of 3.2 Million debit cards, reported The Economic Times. Furthermore, debit cards and credit cards users are somewhat protected by banks or the credit card company, unlike mobile wallet users. The news broke out that hackers had stolen millions of debit cards by breaching and planting a malware into the ATM network of Hitachi Payment Services. This news was followed by SBI blocking 6,00,000 debit cards. According to the National Payments Council of India, these breaches involved fraudulent withdrawals of a reported Rs 1.3 crore from cards issued by 19 banks.
Analysis done by cyber security firm Kaspersky, states that Indian bank is still casual about the cyber security and that may turn out to be nasty for consumers.A couple of banks has either replaced their users' cards or asked them to change their pins immediately, thereafter the breach. In some cases, security incidence is not reported but hidden by the organization to uphold their reputation. Moreover ATM machines outdated communication standard make them prone to attacks, they can be easily hacked, malware can be installed & funds could be stolen. Kaspersky said that Indian banks are just not paying enough attention to the cyber security. According to the firm, most ATMs are running on Windows XP, an operating system which is no longer supported by Microsoft, thus they don't have security updates suitable to fight cyber attacks at present. Since the security on ATMs running Windows XP is not up to date, it is easier to install malicious software in them without too much effort.
Moreover, banks using cards with Magnetic Stripe are still vulnerable. As they are easier to clone than EMV (Europay, MasterCard, and Visa) chip-equipped cards also known as Chip and Pin cards, which stores data in encrypted form and only transmit a unique code i.e one-time used token, for every transaction, making these cards more secure and lot harder to clone. Social engineering attacks are also quite common with the latest method of fooling users to pin number or OTPs. Attackers make fake calls claiming their alliance with banks and ask security details and other sensitive information.
The new family of ATM malware's are being discovered regularly, increasing trouble for security experts who wish to safeguard the safety of online banking applications. Recently a new ATM malware Alice has discovered by researchers at Trend Micro as part of a joint research project with Europol EC3. Alice cannot be administered by the numeric pad of ATMs, neither does it have information stealing features. It is meant mainly to vacant the safe of ATMs. Earlier this year Ripper ATM malware was detected by FireEye which targetted three main ATM Vendors worldwide. It interacted with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. Skimming is one of the methods used to compromise ATM machines, and often these hardware devices are unrecognizable.
Cyber Security is thus one of the biggest worry faced by financial systems. With the advancement in new technology, the latest and more powerful attacks are being fabricated by cyber criminals. In the next article, I will continue to give further insights into this issue.
Authored By - Shefali Singh
TCS Enterprise Security and Risk Management
Rate this article: