For some businesses, demonetisation of the Rs. 500 and Rs. 1000 notes has been great news, though for most people are finding it hugely inconvenient, and for a large number of people with no access to electronic payment methods, it's been more than a nuisance.
One of the results of the drive is that more and more people are now paying using their credit or debit cards, while lots of people are also signing up for services such as UPI, and using their mobile wallets with more offline sellers. But getting so many new users onboard brings in a number of security risks over and above questions regarding how secure these apps really are.
Jaspreet Singh, Partner at EY Cybersecurity Solutions, whose focus is on telecom, media, and technology points out the following five risks that will come with the growing rise of digital payments.
1) There are awareness issues among vendors
"If you look at the last three weeks, we've observed a huge boom in the number of signups for wallets," says Singh. "To give you the example of the nearby market in Gurugram, earlier, only one or two shops accepted Paytm. Today, only one or two still rely on cash-only. It's a complete change. But we looked at how the companies handle vendor on-boarding, and realised that this was now becoming a problem area."
This is because many of the vendors aren't really given more than a barebones explanation on how to use the systems, and as a result, a lack of vendor awareness presents a real challenge today, Singh avers. Another issue here is that the devices being used are also hugely varied, and this brings its own problems. "With so many vendors coming in, Android is completely fragmented, you don't know what version they're running, what security is in place," he says. "Vendors are not being educated about downloading only authorised software, not side-loading anything - so you don't know if any data is leaking, and the apps do have security measures in the software, but better education is very important."
2) Onboarding itself needs more security
Aside from the vendor awareness though, Singh points to another problem in the on-boarding process due to the huge spike in signups. "With the sudden growth in the number of installs, we're seeing more challenges come in," Singh explained. "The scale of it is very sudden, and this opens up the possibility for more security issues, fake signups, more devices also means more opportunities for breaches, and this could also lead to identity theft."
In terms of fake identity, Singh cautions that making fake documents is now extremely simple - and it's something that can happen with just a simple Google search for Aadhaar cards. "You don't need specialised software or technical training, just a little patience and Google, and you can make passable fake documents," says Singh.
3) Document handling needs to be given more importance
Even if verification is being done properly, another genuine concern is the handling of peoples' documents. People are queuing up with multiple copies of ID documents to do things such as withdraw their money from banks - it is a real problem, and one that generates a lot of documents.
Singh warns that in many instances, these documents are not being handled properly. "If you talk to the people on the ground, or even see the regional papers, you'll see plenty of cases where leaked documents have been used for identity theft," he warns. "All processing organisations need stringent control to keep data secure."
4) Lack of awareness among consumers
"We are generally unprepared to live with security," says Singh. To explain this, he gives the example of an audit that EY Cybersecurity did with a multinational corporation recently. "We did some phishing [sending fake mails and calls to get you to volunteer your confidential information] in a major organisation, to test their security preparedness," he explained. "We were able to get the usernames and passwords of 13 out of 18 of the topmost executives in the company, and that required no hacking or high tech methods."
"This is the top executives of an MNC," he continued, "where they have defined information awareness campaigns. Do you think that the awareness is any better in the rest of the country?" This is a problem because with the huge growth in numbers of people, instances of misuse and fraud will also go up accordingly, and the companies will be hard pressed to meet this increased need for customer care and security as well.
5) Technological weaknesses
Aside from all these problems, Singh says that there are other technological weaknesses to consider as well. Leaving aside the security features of the apps in question, he warns about viruses, malware, and key-loggers that the consumers could have installed on their phones without realising either.
"People need to keep updating their phone PIN, not sharing that with anyone, keep your phone up to date, make sure it has a password so even if it gets stolen, your data won't be immediately exposed," he cautions. "People need to be aware about using public Wi-Fi, they see free Wi-Fi and they use it right away without thinking about what they're doing. Even checking your bank balance on the app can be a risk in such a scenario, but people have no awareness about these things."