What happened at Bangladesh’s central bank in February was straight out of a Hollywood heist movie. Hackers sitting in unknown corners of the world transferred $101 million from the bank’s account at the Federal Reserve Bank in New York to fraudulent accounts in the Philippines and Sri Lanka. If this could happen to Bangladesh’s premier bank, it could also happen in India, especially with Prime Minister Narendra Modi pushing for a cashless economy.
After demonetisation, the number of transactions through e-wallets has gone up by 271 per cent. Transactions through point of sale terminals have increased by 95 per cent, through RuPay cards by 316 per cent and through unified payments interface by 119 per cent. “If people start losing money in these frauds, that will be the biggest jolt to the cashless drive,” said Tarun Wig, founder, Innefu Labs, a cyber security company.
“Cyber security sometimes becomes just a tick in a box,” said Trishneet Arora, founder, TAC Security. “Many companies just do a checklist of various security tools, but when it comes to penetration testing, they hardly do it.”
Neither the government nor the private sector has so far considered cyber security as important as internal security. This is reflected in the country’s cyber security budget, which experts said was not enough to meet the challenges.
Said Ajay Kumar, additional secretary in the ministry of information technology: “Earlier, we were doing it as just one more thing, but now we need to be more focused on cyber security. There are evil eyes prying on us.”
According to the Computer Emergency Response Team, there have been 1.75 lakh cyber security breaches between January 2013 and October 2016.
Some wallet apps, such as MobiKwik, seem to be realising the gravity of the situation. Said Rohan Khara, director, products: “Our iOS app is protected by fingerprint and the android app has a six-digit pin that is needed for every transaction. So, even if your phone gets stolen, app data cannot be misused. Plus, we have algorithms which [warn of] suspicious activities.”
It is the banks that need to update their cyber security systems, said Wig. “If your phone gets stolen and the one-time password is also on the same phone, then there is practically no security,” he said. Also, a majority of ATMs in India run on Windows XP, for which Microsoft has stopped offering security updates.
While institutions might be at fault, the ignorance of individuals is as much to blame, said Payments Council of India chairman Naveen Surya. “Ninety per cent of frauds happen because of ignorance,” he said. “It has been observed that people fall prey to false phone calls asking for PIN and card details. This is an area which needs to be given more importance.”
To tackle the threats, a committee headed by IT secretary Aruna Sundararajan is looking at various aspects of cyber security. “We are planning to issue a detailed advisory to mobile wallet companies,” she said. “We are strengthening CERT-IN and have asked all departments and agencies to designate chief information security officers. We are also launching a massive awareness campaign to educate people.”
