India has seen a surge in the number of digital transactions in the last one year. This push came as a result of better IT infrastructure, internet connectivity, demonetization drive by Govt of India and an increased number of players providing digital payment solutions.
While shifting to a digital economy has had its perks for the users, it comes with a heightened need for cyber-security. Globally, there have been major incidents highlighting the importance of cyber-security on various platforms.
The Centre for Software and IT Management (CSITM) recently conducted a study at IIM Bangalore focusing upon the cyber-security risks that the digital payment solutions carry if any.
“We conducted experiments with five popular mobile payment systems, in four broad categories – wallets (PayTM, FreeCharge), direct link with user’s bank (BHIM), specific bank’s app for account holders (iMobile by ICICI Bank), and basic USSD service (dialing *99#),” said Rahul De, Chairperson, CSITM, and faculty in the Decision Sciences and Information Systems area at IIM Bangalore.
The study evaluated the apps on the following six key security principles based on the Basel Committee’s ‘Risk Management Principles for Electronic Banking’ and RBI norms for electronic banking transactions:
• The potential for confidentiality breaches
• The management of the transactions for subsequent repudiation
• The strength of the authentication process
• The data and transaction integrity procedures
• The extent of access and availability of services
• The procedures for maintaining privacy of customer information
The study pointed towards some serious privacy and security concerns. For instance, some e-wallet apps like PayTM allow automatic linkage with third party vendors. This can result in automatic amount deduction from the user’s account without the consent of the user.
Confidentiality breaches were potentially possible for almost all the mobile payment solutions except USSD.
Another major security concern was that many apps (such as PayTM, Freecharge) do not log the users out automatically. This means that anyone in possession of a phone with such apps can make digital transactions using that account, even if it is not the original owner.
In contrast, apps like iMobile and BHIM come with a session time-out feature that acts as an auto-logout security mechanism.
While Rahul De criticised the inadequate management of transactions in these digital solutions and termed them as a security violation, he clearly mentioned that the study was conducted from December 16 to January 17 and that there might be changes made to these apps since then.