Card Not Present Fraud , Fraud Management & Cybercrime

Indian Banks Wary of Payment Card Risks

Government Initiative Stirs New Security Concerns
Indian Banks Wary of Payment Card Risks

In an effort to curb the flow of black money - income illegally earned and not declared for tax purposes - the Indian finance ministry is considering a new initiative that would provide incentives to banks to encourage credit and debit card use while discouraging cash transactions.

See Also: OnDemand | Everything You Can Do to Fight Social Engineering and Phishing

While banks are pleased by the ministry's gesture as it would drive growth and convenience in doing business, besides enhancing customer experience, security experts caution that bank CISOs must understand the potential security repercussions, recommending use of effective authentication tools.

The discussion follows the announcement by finance minister Arun Jaitley during Budget 2015 that cash transactions would be discouraged to curb black money.

In a recent statement to the media, Rajiv Mehrishi, finance secretary, confirms, "We are looking at incentivizing banks, sharing part of the cost of point-of-sale machines, etc., to encourage use of credit and debit cards."

The finance ministry will set up a committee to suggest measures for incentivizing credit or debit card transactions, Mehrishi said.

Bengaluru-based George Joseph, senior vice president at Bank of America, acknowledges that cashless transactions could become the norm rather than the exception. "There are also benefits of convenience, ease of use and speed in availing various services for the consumer," Joseph says. "However, as volumes of such transactions increase, it is but natural that banks would expect security incidents, and hence they would need to strengthen their continuous monitoring of their preventive and detective controls."

Why Now?

The political objective, security experts believe, is to drive the government's financial inclusion plan, which is about delivering financial services at affordable costs to disadvantaged and low-income segments. The plan intends to encourage small enterprises to use cash-based transactions in parallel. This is also in keeping with the Modi government's new scheme, Jan Dhan Yojana, under which every Indian family will be enrolled in a bank for opening a zero balance account, to ensure economic equality.

Coimbatore-based S N Ravichandran, president of Cyber Society of India, applauds the move toward inclusive banking and curbing black money. But he points out: "Out of a 1 billion population, only a miniscule number has the capability for card-based transactions. The majority is illiterate, resulting in huge transactional risks. How will security practitioners handle increased online frauds and risks?"

Recent statistics from RBI say India has more than 20 million credit card users. While the big surge in ecommerce usage and the development of banking to rural India has helped, the ministry plans to increase the volume of electronic transactions through card usage.

The ministry's initiative has alerted the security fraternity. Says Delhi-based Tarun Wig, co-founder of Innefu Labs, a research-oriented information security group providing solutions for two-factor authentication and open source intelligence: "Though an exciting move, cashless transactions in India are fraught with challenges. With millions using credit cards, online banking, wire transfers, etc., tracking a money transfer can prove unmanageable for any law enforcement agency."

Security Implications

Critics fear an increase in online scams and debit and credit card fraud, including phishing, key logging, identity theft and account takeover.

Chennai-based Dr B Muthukumaran, head of security and data at HTC Global, foresees huge security challenges for CISOs, as he believes there are not many strong control measures and audit mechanisms to counter growing cyberthreats related to increased card use.

Ravichandran believes this will invite more transactional discrepancies and also expose customers' financial data to third parties, because most new users don't know how to transact and would seek others' help.

"Banks outsource most credit card-related business to a third party," he adds. "There's no way banks can keep tabs on them on issuing cards; nor do they educate customers in using cards in a secured manner."

A study conducted for financial institutions says India is specifically targeted in roughly 10 percent of the world's phishing scams designed to lure online users to lookalike websites, where they are tricked into providing their personal account numbers, passwords, credit card numbers and more.

"The biggest challenge banks and financial institutions face is bank account fraud," Wig says. "Criminals, either independently or in organized gangs, manipulate bank accounts to commit fraud against banks or cheat innocent victims."

Gurgoan-based Mani Kant Singh R, chief information security officer at Orbis Financials, a non-banking financial company, says, "Most often, we find wrong and insecure methods of transactions resulting in huge losses for both customers and banks due to lack of awareness and use of authentication tools."

Other concerns, Singh says, include the limited reach of PoS systems, faulty ATMs and power outages that also hinder business processes.

Safety Measures

Critics say India, unlike many other nations, lacks adequate policies covering transactional losses.

The only way banks can ensure secure transactions is by educating customers, while CISOs deploy stringent authentication tools.

Ravichandran recommends that CISOs authenticate both the sender and the receiver, and also take into account the IP address of the customer to enable the transaction.

"The tasks of CISOs will include identifying the security loop, patching the security lapse, adapting to cyberlaw to combat crimes because of increased volume of transactions and deploying appropriate risk assessment tools," Singh says.

Many experts recommend using biometrics, such as fingerprint authentication, and a dynamic SMS-based PIN for every transaction.

Innefu's Wig says the RBI should issue mandatory guidelines to banks for authentication with deployment of core technologies and hold banks accountable for losses.

"Risk profiling is most important," Kumaran says. "The use of big data and analytics will help CISOs profile customer buying patterns in real time. "The use of analytics will enable banks to profile customer mobility patterns based on transactions from different locations where the card gets swiped."


About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Vice President - Conferences, Asia, Middle East and Africa, ISMG

Nandikotkur is an award-winning journalist with over 20 years of experience in newspapers, audiovisual media, magazines and research. She has an understanding of technology and business journalism and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a group editor for CIO & Leader, IT Next and CSO Forum.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.