Indian Banks Wary of Payment Card RisksGovernment Initiative Stirs New Security Concerns
In an effort to curb the flow of black money - income illegally earned and not declared for tax purposes - the Indian finance ministry is considering a new initiative that would provide incentives to banks to encourage credit and debit card use while discouraging cash transactions.
While banks are pleased by the ministry's gesture as it would drive growth and convenience in doing business, besides enhancing customer experience, security experts caution that bank CISOs must understand the potential security repercussions, recommending use of effective authentication tools.
The discussion follows the announcement by finance minister Arun Jaitley during Budget 2015 that cash transactions would be discouraged to curb black money.
In a recent statement to the media, Rajiv Mehrishi, finance secretary, confirms, "We are looking at incentivizing banks, sharing part of the cost of point-of-sale machines, etc., to encourage use of credit and debit cards."
The finance ministry will set up a committee to suggest measures for incentivizing credit or debit card transactions, Mehrishi said.
Bengaluru-based George Joseph, senior vice president at Bank of America, acknowledges that cashless transactions could become the norm rather than the exception. "There are also benefits of convenience, ease of use and speed in availing various services for the consumer," Joseph says. "However, as volumes of such transactions increase, it is but natural that banks would expect security incidents, and hence they would need to strengthen their continuous monitoring of their preventive and detective controls."
The political objective, security experts believe, is to drive the government's financial inclusion plan, which is about delivering financial services at affordable costs to disadvantaged and low-income segments. The plan intends to encourage small enterprises to use cash-based transactions in parallel. This is also in keeping with the Modi government's new scheme, Jan Dhan Yojana, under which every Indian family will be enrolled in a bank for opening a zero balance account, to ensure economic equality.
Coimbatore-based S N Ravichandran, president of Cyber Society of India, applauds the move toward inclusive banking and curbing black money. But he points out: "Out of a 1 billion population, only a miniscule number has the capability for card-based transactions. The majority is illiterate, resulting in huge transactional risks. How will security practitioners handle increased online frauds and risks?"
Recent statistics from RBI say India has more than 20 million credit card users. While the big surge in ecommerce usage and the development of banking to rural India has helped, the ministry plans to increase the volume of electronic transactions through card usage.
The ministry's initiative has alerted the security fraternity. Says Delhi-based Tarun Wig, co-founder of Innefu Labs, a research-oriented information security group providing solutions for two-factor authentication and open source intelligence: "Though an exciting move, cashless transactions in India are fraught with challenges. With millions using credit cards, online banking, wire transfers, etc., tracking a money transfer can prove unmanageable for any law enforcement agency."
Chennai-based Dr B Muthukumaran, head of security and data at HTC Global, foresees huge security challenges for CISOs, as he believes there are not many strong control measures and audit mechanisms to counter growing cyberthreats related to increased card use.
Ravichandran believes this will invite more transactional discrepancies and also expose customers' financial data to third parties, because most new users don't know how to transact and would seek others' help.
"Banks outsource most credit card-related business to a third party," he adds. "There's no way banks can keep tabs on them on issuing cards; nor do they educate customers in using cards in a secured manner."
A study conducted for financial institutions says India is specifically targeted in roughly 10 percent of the world's phishing scams designed to lure online users to lookalike websites, where they are tricked into providing their personal account numbers, passwords, credit card numbers and more.
"The biggest challenge banks and financial institutions face is bank account fraud," Wig says. "Criminals, either independently or in organized gangs, manipulate bank accounts to commit fraud against banks or cheat innocent victims."
Gurgoan-based Mani Kant Singh R, chief information security officer at Orbis Financials, a non-banking financial company, says, "Most often, we find wrong and insecure methods of transactions resulting in huge losses for both customers and banks due to lack of awareness and use of authentication tools."
Other concerns, Singh says, include the limited reach of PoS systems, faulty ATMs and power outages that also hinder business processes.
Critics say India, unlike many other nations, lacks adequate policies covering transactional losses.
The only way banks can ensure secure transactions is by educating customers, while CISOs deploy stringent authentication tools.
Ravichandran recommends that CISOs authenticate both the sender and the receiver, and also take into account the IP address of the customer to enable the transaction.
"The tasks of CISOs will include identifying the security loop, patching the security lapse, adapting to cyberlaw to combat crimes because of increased volume of transactions and deploying appropriate risk assessment tools," Singh says.
Many experts recommend using biometrics, such as fingerprint authentication, and a dynamic SMS-based PIN for every transaction.
Innefu's Wig says the RBI should issue mandatory guidelines to banks for authentication with deployment of core technologies and hold banks accountable for losses.
"Risk profiling is most important," Kumaran says. "The use of big data and analytics will help CISOs profile customer buying patterns in real time. "The use of analytics will enable banks to profile customer mobility patterns based on transactions from different locations where the card gets swiped."