One of the undisputed benefits of the recent demonetisation exercise has been the concerted push towards digitisation of cash transactions. Concomitant with this development has been the rapid growth in the use of smart devices, primarily mobile phones. Though digital payment systems have been in existence for a while, the last few weeks have witnessed an explosive growth in their use. While many welcome the idea of trackable, transparent and frictionless monetary transactions, there are significant risks associated with moving to these systems. In a population that is largely illiterate or technologically naïve, this creates a challenge for policy-makers and system providers alike.
Mobile-based systems
There are a number of mobile banking applications that have been developed by major banks for their respective customers to perform transactions that they would normally have conducted over the bank’s web-portal. The Bharat Interface for Money (BHIM) application has been developed by the National Payments Corporation of India (NPCI) to allow any customer of a Universal Payment Interface(UPI)-live bank (like SBI, HDFC, ICICI, etc.) to conduct certain basic transactions such as sending or receiving money. While these applications do not (claim to) store any bank-related information on the phone itself, they connect directly to the consumer’s bank accounts, which may be a cause for concern.
Mobile wallets on the other hand are applications that act like our physical wallets but in the digital world. We can add money to our wallets from our bank accounts, debit or credit cards and then use these funds for various transactions – be it paying vendors or friends. SBI Buddy, Chillr, Paytm, Oxigen, MobiKwik, etc. are examples of mobile wallets. The limitation with such wallets is that the vendor and the customer should also be using the same wallet. Their advantage over the banking application is that the liability of the consumer is limited to the amount kept in the wallet (just like physical wallets).
In any of the applications mentioned above, secure communication (over 2G, 3G or Wifi network) is used to access and conduct transactions. A smart phone is necessary and the encryption level is similar to what we get when using the bank’s web-portal. In the case of BHIM, the dedicated UPI network between banks is used. There are more than 47 banks that have registered with NPCI to conduct immediate payments over the UPI network.
Each of these applications varies in terms of the number of access passwords required to conduct a transaction. For ease of use, wallets typically have the least number of access checks.
A relatively “low technology” method of conducting transactions is the USSD-based payment system. This NPCI-developed system allows consumers to access their bank accounts using the regular wireless telephony network (non-data) to communicate with their respective banks and perform transactions. The advantage here is that a smart phone is not required to conduct mobile banking transactions (especially for payment). All these transaction methods are multi-lingual, and hence useful in the context of India.
Vulnerabilities exist
Vulnerabilities associated with payments systems exist and hence signal the need for caution. Examples follow.
Compromised applications: The most plausible vulnerability with payment applications is the presence of other applications on a consumer’s mobile phone. If a user has an alternative keyboard application, it could be a risk in terms of logging passwords and pins while performing bank transactions. It is also possible that a user inadvertently downloads an application while browsing the web that could compromise his/her phone data and transactions. With some payment wallets, anyone having casual access to a user’s mobile phone could be a vulnerability as application PINs are not set up.
Denial of service: A vulnerability associated with all forms of payment systems is a denial of service attack on the network as whole. This could be at the level of the telephony network via jamming devices or at the server where billions of illegitimate requests could be sent in a short period of time, making it difficult for legitimate transactions to be completed.
Man-in-middle vulnerability: In this scenario, a hacker gets access to either the servers on the telecom network, the payment wallet or the bank’s networks. Listening to the communication (despite being encrypted) could still be considered a risk. This type of vulnerability could be considered to be more esoteric. Hacking of a bank’s or NPCI’s servers could end up exposing personal details of users, while hacking of a mobile (GSM) network (A5/1 encryption has known vulnerabilities) could expose all communication, especially the USSD-based transactions.
There are trade-offs between convenience and security. While it is impossible to eliminate all vulnerabilities and risks, there are some simple steps that users, payment system providers, banks and governments could take to minimise their risks while using payment systems.
The greatest vulnerability in mobile payment systems lies at the consumer’s end. Users need to carefully protect their mobile devices from unauthorised access. In the least, one should have a PIN to lock the phone. A biometrics-based locking/unlocking system would most secure as of now. PIN access for applications — especially for banking applications or digital wallets would be another layer of protection.
Payment systems should ensure that their systems are continually audited for security vulnerabilities and patched frequently. Systems should be hosted with active measures to mitigate denial of service attacks, while also maintaining flexibility to handle seasonal upsurges in traffic.
While the government has put its weight behind the concept of a cashless economy, it needs to invest sufficiently in securing the network as well as educating the population on how to avoid becoming a victim of fraud. There should be a robust training programme, especially focussing on the old and illiterate who will be affected the most by this transition. Lastly, it must revisit laws and establish a special mechanism to ensure that entities stealing data or preventing legitimate digital transactions are dealt with severely and swiftly in a manner apparent to the public.
(Pronab Mohanty is DDG UIDAI, and Dr. Jai Asundi is Research Coordinator – CSTEP. Views are personal.)
