Saket Modi, co-founder and chief executive officer, Lucideus Tech, on safety concerns of digital transactions
After the high-denomination currency notes were scrapped in November last year, there has been a surge in digital transactions. Though the overall volume of electronic transactions has not yet stabilized, volume of transactions through Unified Payment Interface (UPI), including Bharat Interface for Money (BHIM) app has grown fast. A concern while adopting digital transactions has been the security of transactions. In an interaction with Mint, Saket Modi, co-founder and chief executive officer, Lucideus Tech, a cyber security firm, discussed various aspects of digital transactions, including security. Edited excerpts:
A cause of concern in the context of increased digital transactions is whether these transactions are really safe.
The largest corporations in the US, including a major bank, have been badly hit due to cyber attacks, despite having spent millions on cybersecurity. That speaks for itself on the current state of cyber security in the overall digital ecosystem. In India, we are no different in using technology than the US. The defences are exactly the same.
Soon, people will be able to open bank accounts from their mobile using Aadhaar authentication. I wouldn’t say it is equally secure, (but) it probably is more secure than having humans in between. These are two different types of risks. The moment there are machines, there are different types of risks involved. If humans are involved, can you assure 100% security? No, you can’t. Similarly, machines also have their own set of issues.
If India is equally vulnerable to cyber risks, where do Indian systems stand on risk assessment?
Let us take a look at the spends. I am not saying that security is only a function of the spend, but it is certainly important. Major financial companies globally spend $250-300 million a year on cyber security. In comparison, the total spend on cyber security in India, does not exceed more than a couple of million dollars. But this is going up exponentially every year.
We are a country with only 6% of the population making some sort of digital payments. So, focus of the banks was never on digital. While everybody talked about it and there were (banking) apps, the maturity of a mobile banking application of a multi-billion dollar bank in India is really very bad on the functionality side. (But) with the kind of increase in digital transactions, cybersecurity spend will automatically go up.
There have been instances of money just vanishing from e-wallets. Why does that happen?
I have also heard of similar instances. If the transaction does not go through, it clearly states that it is a failure. If the expenses and balance do not tally, the software by itself will not work. It cannot just vanish, there has to be a transaction. The valid explanation could be that somehow the transaction happened and I do not know how it happened. Is it possible that the servers of an e-wallet get hacked and someone reduces your balance? Yes, it is possible theoretically. If that has happened, then that is a clear red flag and it should not happen under any circumstances.
Does the fault lie with the service providers or end users? Is the existing redressal mechanism good enough?
Absolutely not. We are very far away. I am not talking specifically about payments here. Take, for example, someone stalking you on social media or mailing some inappropriate things about you, your family. The trust that we have on how we go and redress any normal cyber crime—forget about a payments-related crime—is just not there. Same is the case globally. You always had penal codes assuming boundaries of geography. In cyber, it does not work that way. You are sitting in front of me, and I will hack you, and in between will be five different continents. You can even be a prime minister, but you cannot catch me. That has really happened. Even in the most famous hacking cases, where the biggest global companies or organizations were hacked, you rarely hear that the culprit has been caught and punished.
In a boundary-less cyber world, the global law enforcement is an absolute mess. Most of them do not know how to redress problems of cyber intrusion. Yes, moving forward, it has to happen, in terms of uniformity.
When is an institution responsible and when is an individual responsible for an incident?
The thumb rule is that if you have got an OTP (one-time password) on your phone, and then a fraud has happened, the bank will never give your money back. Because the bank has already taken the precaution of giving an OTP on your phone. If you gave it to somebody, it is not the bank’s fault.
There is a common fraud that takes place. The fraudsters get hold of your card details. This is easily done by using cameras at places where you use your card. Next, they will login using those details and give a call saying something like “your credit limit is being increased, please share the OTP”. A common person would think what’s the harm in sharing just the OTP. What he does not know is that the fraudsters have the other details already.
UPI and BHIM have recently entered the scene and there are a lot of expectations as well as concerns around them. What is your view?
BHIM is at present the most superior form of payment, compared with other modes like cards, Net banking and e-wallets. In Net banking, it takes some time to add a beneficiary and then make a transaction. In cards, the major problem was delay in OTP SMS and having to enter all the details physically. On the other hand, e-wallets are extremely convenient, but are not as secure due to one-factor authentication.
We can define UPI and BHIM as a combination of security of Net banking with the convenience of mobile wallets. In payments, they are superior to even e-wallets. In mobile wallets, you have to upload money first. There is no recharging in UPI or BHIM, as they are directly linked to your bank account. And it is more secure than Net banking and cards due to two-factor authentication (BHIM has three-factor authentication). Moreover, despite having three-factor authentication, it does not require complex passwords. The only thing you need to remember is your UPI PIN. There is an additional layer of security, which is the app PIN. In a mobile wallet, you can enable an app PIN, but in BHIM it is mandatory.
So is UPI or BHIM absolutely secure?
Nothing is absolutely secure. But these are far more secure than other available modes of digital payment. Just like in the physical world, there is nothing 100% secure.
Is it an issue that various apps ask for access to many functions and data?
It is unfortunate that people do not question why an app is asking for a permission. For example, a financial app has nothing to do with the pictures on your phone. In the new android versions, you can switch off access points for every app.
Do you have basic cyber-hygiene guidelines for users?
Individuals should understand they have shared responsibility. We actually had relatively less responsibility in the physical banking space. In older days, you would not be held responsible if money was stolen from the bank. Today, you could be responsible if the money gets stolen. That is the cost of convenience. You need to use internet with awareness, knowing that even after doing everything, there are chances that you might get hacked.
You have to ensure that the hack is not happening because of ignorance on your side. If the hack is happening on the technical side of the financial institution, you cannot do anything about it. However, in those cases banks return the money to their customers.
I come across statements like I cannot be hacked because I have fingerprint recognition on my phone. This just shows a lack of understanding of how all these things work.