No Hardware Level Security on Digital Payment Applications and Websites in India

Recently, chipset maker company Qualcomm revealed that in India online banking, mobile banking and digital wallets applications and websites are not utilizing hardware level security that can led to serious cyberattacks and other consequences.

While, post demonetization has forced the Indian citizens and merchants to switch onto digital payment system, chipset maker US based organization Qualcomm said that digital payment applications and websites in India are free of hardware level security that can ease out malware and cyberattacks. A Hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing, which is a computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures.

Qualcomm senior director product management Sayeed Choudhury said, “You will be surprised because most of the banking or wallet apps around the world don’t use hardware security. They actually run completely in Android mode and users password can be stolen. Users use fingerprint which might be captured … in India that is the case for most of all digital wallets and mobile banking apps.”

He added, “Even the most famous digital payment application in India is not using hardware level security. Reason we are saying that none of them is using it because we work with OEMs (original equipment makers).

According to market research firm Strategy Analytics, Qualcomm leads the mobile chipset market globally with 37% share. “Everyone is getting connected, everyone is getting authenticated by device. How do you know that your device is getting ready for demonetisation? When you download a mobile banking app you don’t know if it is using hardware security or not,” Choudhury said.

“Qualcomm is now approaching digital payments companies for using secure environment for processing payments on mobile phone. “We are providing secure execution environment in the chipsets. This layer separates transactions on mobile phone from operating system. This checks any malware from effecting transactions.” Choudhury further added.

Qualcomm is also coming up with new feature in its mobile chipsets from 2017 that verify user with payment gateway using unique features like device id, phone manufacturer signature, Android version in the phone, root kit of operating system, location and time, which will be nearly impossible to duplicate.

According to a report of TOI, Choudhury mentioned that device attestation feature will start shipping in 2017. For end users it should be available by end of 2017. The company has partnered with software security company Avast to generate alerts for users in case their mobile phones are infected with virus or malware. Choudhury lauded India’s Aadhaar authentication system.

“Aadhaar initiated by Indian government, the path that it is moving now with digital version of Aadhaar is far ahead then most government in the entire world,” Choudhury concluded.