Qualcomm has pointed out that most banking apps and mobile digital wallets in India do not use hardware-level security measures to ensure that the financial transactions are not compromised. Qualcomm is in the process of approaching the makers of such apps to integrate hardware level security features of Qualcomm chipsets into the applications. The sandboxing approach prevents any malware from affecting financial transactions.
There has been an increased focus on the security of electronic financial transactions, ever since a malware got into the systems of Hitachi Payment Services, which provides back end services to ATM machines and Point of Sale nodes across India. 32 lakh debit cards were compromised including those issued by SBI, HDFC, YES, AXIS, BOB and ICICI.
Security experts and consultants have pointed out various holes in the electronic transaction systems in place in India. ATMs need to implement state of the art encryption. The magnetic stripe cards need to be replaced with newer EMV chip cards, a global standard created by Europay, MasterCard, and Visa. ATM transactions are vulnerable to skimming and cloning attacks because of the continued use of the magnetic stripe cards. The databases of the banks themselves have to be adequately secured.
Intel has also warned that ATM machines in India are vulnerable to malicious attacks. Intel points out that countries in the Asia Pacific region are developing and are particularly vulnerable because of old systems and machines being used. The ATM machines tend to use outdated operating systems such as Windows XP, which makes them a easier target to execute malicious attacks against. Intel has also called for securing ATM machines with multiple levels of authentication and industry standard encryption.
The humans are the weakest link in the security chain, and there is a need for banks to educate users about phishing web sites, frauds, and scam emails. This is particularly important to users who are only starting to use digital wallets and banking apps after the demonetisation. The critical login credentials of users can be compromised by someone merely glancing at the screen and the app being used in a public place, a method of low-tech hacking known as shoulder surfing.
Antivirus solutions installed by users on their devices to protect financial transactions, actually end up making online banking less secure, according to researchers from the Concordia University in Montreal, Canada. The anti virus software intervene in the regular operations of the browser and operating system, and can be used to fool the system with fake credentials. Commonly used security services were tested, and the researchers found that they lowered the levels of security normally provided by the browsers.
The hacking collective known as Legion has warned of weaknesses in the Indian Banking System. The group has said that it has the capability of hacking into financial systems, but has chosen not to do so. Legion has also said that there have been significant breaches in the past, but Banks have not alerted their consumers about it. There is no requirement by law to disclose data breaches to customers, the onus is on the Banks to do so.
However, it is not just amateur hackers who are a threat. There are serious cybercriminals and even the largest financial networks are susceptible to attacks. Swift has confirmed that hackers trying to get into the system have succeeded multiple times, and are continuously using newer and more sophisticated techniques. Swift has warned of consistent efforts by the group that pulled of the Banladesh Bank Heist to compromise the systems.
The laws in place are outdated, and need to be tweaked taking into accounts new developments. Digital wallets in India currently have no prescribed security standards, and are free to implement their own measures. There are no laws to hold the digital wallets responsible if something goes wrong during financial transactions.
Qualcomm senior director product management Sy Choudhury lauded the efforts by Aadhaar. The India Stack, which is a collection of APIs, which are ready to be integrated with applications and services. One of the aims of the India Stack is to ensure smooth and secure financial transactions. Unified Payment Interface (UPI), Aadhaar linked biometric identification, Unique Identification Authority of India (UIDAI), e-KYC, Aadhaar Enabled Payments System (AEPS) are all elements of the stack, that can improve security of transactions.