Why Digital Wallets Are Just Not Safe In India

by Priyanka Pugaokar    Dec 16, 2016

Digital Wallet

If you are an ardent user of digital wallets such as PayTM, PayU, Freecharge etc. for online transactions, beware. Your digital wallet can be vulnerable to cyber attacks and hackers could elope with your sensitive financial information stored in your digital wallet. According to the claims of US based semiconductor and telecommunications equipment company, Qualcomm all the digital wallets in India lack hardware-based security layer, which make them prone to hack. 

According to the Qualcomm report, Indian digital wallet companies lack the cyber security preparedness as global wallet companies like Alipay, WeChat from China and Apple Pay use hardware-based security layer, which makes them more secure for online transactions. 

“You will be surprised because most of the banking or wallet apps around the world don’t use hardware security. They actually run completely in Android mode and users’ password can be stolen. Users use fingerprint which might be captured. In India that is the case for most of all digital wallets and mobile banking apps,” said Sy Choudhary, Senior director for program management at Qualcomm. 

When asked about the authenticity of his claim, Choudhary said that the company is working with most of the OEMs, hence, they have the insider knowledge about this security loophole. As per Qualcomm, this hardware level security feature separates the transactions on mobile from the operating system, thereby making it more safe and secured. Hence, even if the hacker is able to get through the mobile wallet/banking app, he can’t get through the hardware.

The company has also questioned the safety preparedness of the Indian government when it comes to digitalization of the economy.“Everyone is getting connected, everyone is getting authenticated by device. How do you know that your device is getting ready for demonetisation? When you download a mobile banking app you don’t know if it is using hardware security or not.”, Choudhary asked. 

Also Read: Digital Payment Raising Cyber Threats In India

While Qualcomm’s claims may fury digital wallet companies, who are the biggest beneficiaries on currency demonetization, it is a fact that digital payment apps are prone to cyber attacks. We have witnessed several incidents of fraudulent activities such as automatic debit, unauthorized purchases and data breaches on Digital wallets in recent months. 

A recent research conducted at the University of Florida revealed severe lapses in the digital payment apps picked up from India. According to the study, MyAirtel app and MoneyOnMobile were found to be having severe security lapses that lead users’ data vulnerable for frauds and scams.

The report also mentioned that Oxigen and MyAirtel apps used SMS based OTP verification method, which is quite ineffective for controlling brute force and other advanced hacking techniques. And, as per the terms and conditions of these apps, the user is liable for any loss or stolen money. 

The joint study by ASSOCHAM and EY has also warned a spike in the mobile frauds post demonetization. According to the study, India will likely face a 65 percent hike in mobile payment frauds in 2017. The study states that Mobile frauds are areas of great concern for companies as 40-45 percent of financial transactions are done via mobile devices, and this threat is expected to grow to 60-65 percent. 

Also Read: India Will Face A 65% Hike In Mobile Frauds: Study

While cyber crooks are on the lookout for loopholes in the digital payment systems, the government, banks are digital wallet companies are contemplating to implement a robust security mechanism within the process to ensure a high level of data security. PayU India, which witnessed up to 90 percent surge in its transactions, says that data security is the top most priority of the company to ensure secure and hassle free transactions.

“The entire infrastructure of PayU India is built for security. All your transactions are secured with 128 bit SSL encryption and two factor authentication. We apply 100+ risk rules for each payment so you can focus on your business and rely on us for data security”, said Pradeep Shekhawat, Head, SMB Business, PayU India. 

Similarly, PayTM has taken several initiatives to protect customers data. Paytm’s servers and infrastructure are closely monitored by in-house security experts. It has round the clock multi-layered security protocol including IDP (Intrusion Detection and Protection) Layer over all our NOC’s. Furthermore, it uses bulletproof WAF’s to protect our traffic injection. According to PayTM, its systems are secure to the extent that even with a username and password it is not possible to login anyone’s account owing to the multi-layered protection of OTP and device signature, which is also required for logging into the account.

On the backdrop of the recent debit card hack, where around 3.2 million (32 lakhs) debit cards belonging to major banks were compromised, the Reserve Bank of India (RBI) had mandated banks to have a two-factor authentication process to strengthen the online payment system. Several banks such as ICICI, HDFC, IDBI etc, have taken proactive steps to secure their UPI platforms from cyber attackers. 

Also Read: Govt To Review IT Act To Tackle Cyber Crime

Taking a serious note of the recent high profile attacks on the individuals and establishments, the government is also mulling to review the present Information Technology (IT) Act to strengthen the current cyber security infrastructure in the country. The new amendments aimed at building a strong cyber security framework to address the security challenges as the country is rapidly heading towards digital economy. 

In October 2016, Government of India announced setting up of a INR 1,000 crore fund for R&D in cyber security to be spent over five years. The Cabinet Committee on Security (CCS) decided that such an R&D program can be operationalized and implemented by the National Security Council Secretariat (NSCS). Similarly, Government of Maharashtra is working on rolling out a state-wide cyber security program with a separate budgetary allocation.

While cyber security is a shared responsibility and not the obligation of service providers, it is important for users to ensure that their online behavior is not prone to cyber attacks. Since the android smartphones are the soft target of cyber criminals, having a powerful anti-virus installed on the smartphone is must.

Similarly, it is important to check the authenticity of website while making an online payment. Storing debit/credit card details on the mobile and using public WI-Fi for online transaction should be avoided. These simple, yet crucial tricks can be a big boon for safe online transactions.  

(Image Courtesy: Google Images)