8th November 2016, the shocking evening for all Indians, as the announcement of demonetization, made everyone surprised but the next day, one of the leading e-wallet provider posted an advertisement in the newspaper, thanking the government of India for taking a bold decision in the history of India. With demonetization announcement, the cashless economy has finally emerged in India. As days passed by, people started facing the crunch of cash and everyone has started finding alternate ways for transactions. Right from buying vegetables to buying any expensive items like jewelry etc. consumers started using alternate payment options of e-wallets like Paytm, FreeCharge, MobiKwik etc. in addition to net banking, credit and debit cards.
Although digital wallet (aka e-wallet) technology is in the market from last few years, post demonetization, it has seen a huge increase in usage and it is increasing day by day. In fact after demonetization, Paytm - one of the leading digital wallet players in India has seen 5 million transactions per day and increase of 700 percent in mobile app downloads. But with the so much increased usage of e-wallets, the buzzing question around is how safe these e-wallets are?
The Payment and Settlement Systems Act, 2007 is the nodal legislation for the regulation of payment systems in India and empowers the RBI to regulate and supervise these systems. Only entities licensed under the Act can issue their own mobile wallet and engage in the mobile wallet business. Besides the Act, the RBI issued a Master Circular in July 2016 setting out the policy framework for issuance and operation of pre-paid payment instruments (PPIs) as well as the regulation of the payment systems providers/operators.
The framework provides details on the eligibility criteria and conditions like minimum capital requirements for starting the business, the cap on the amount of money people can hold in their e-wallets, anti-money laundering provisions, and dispute settlement and grievance redressal mechanisms for the consumers. However, the circular does not mention anything about minimum security standards which the e-wallet service providers need to follow. It only mentions that the pre-paid payment instrument issuers shall put in place adequate information and data security infrastructure and systems in prevention and detection of frauds.
In the absence of minimum security standards the consumers are exposed to cyber crime/digital fraud and may lose their hard-earned money to hackers. The circular makes the consumers more vulnerable as it does not establish any liability in case of fraud that occurs due to lack of security measures.
App installation and security: The e-wallet apps do not have any pre-requisites for installation on your smartphone. As the service providers are responding to the demand of the business, they have a responsibility to ensure maximum security for the consumers as well. If a user has a jailbroken phone with some rogue third-party app installed already in the smartphone, the malware can easily steal the sensitive information at the time of onboarding, by storing the keystrokes on the phone.
Also the e-wallet apps in India, unlike their foreign counterparts like Samsung Pay in the Unites States, are not using hardware-based security layer; which makes them less secure and more prone to malware infection.
Lack of incident response plan and related measures: As e-wallets are pre-paid payment instruments, the e-wallets service providers are custodians of public money. So it is very important for such service providers to have an incident response plan and crisis management team for responding to any breach or security incident. As on date, hardly any service provider has taken steps to develop such plan/team. Also unless the liability for fraud is not fixed by the government, it is difficult to see steps taken from service providers to have an incident response plan and that too having it at par with global security standards.
Insider threat: E-wallets are vulnerable to insider threat where in any authorized user of the organization can cause the fraud to take place, directly or indirectly. There has to be a policy to handle insider threat so that the e-wallets are safe. Information security awareness among the employees of the e-wallet service provider companies is also very important in order to reduce the consumer’s risk.
Third-party Vendor Risk: E-wallets are exposed to third party vendor risk as e-wallet services are integrated with other services like cab bookings, food items, transport/hotel bookings etc. As it happened in the past, in the case of the Target, U.S. incident, the hackers may try to use the same methods to get access to e-wallets servers through third party vendor’s infrastructure.
Information Security Culture: Unless proper information security culture is in place within such service provider’s organization directed by senior management to inculcate cyber hygiene along with incident response plan with proper security architecture and review mechanisms, the consumers will continue to remain at risk.
As Indian economy progresses on cashless wheels in the coming days, it would be prudent to see more and more precautionary measures are taken by e-wallets service providers to handle the challenges faced, in order to safeguard consumer’s data and money.
Authored By - Mahendra Joshi
TCS Enterprise Security and Risk Management
Rate this article: