Lok Sabha TV- Public Forum: Banks On Hacker’s Radar
When entire nation is grappling with the effect of demonetization positive and negative both and long queues in front of ATMs are testing the patience of the people, Government is trying hard to make people believe that normalcy will be restored soon. Coffers of the banks are swelling and in swing benefits will come soon to the people in the form of tax reduction and rate cuts. But as the awareness of internet is increasing, the news of attack on bank accounts, email ID and e-wallets is worrying. Even the hardcore advocates of digital currency are finding it hard to make people believe that the positive side of the digital currency are more than its negative effects. The fear of hacking of accounts cannot be entirely denied taking into account the fact that the Twitter accounts of some of the well known Indians were hacked recently.
All digital online payment platforms are inherently insecure. They have to authenticate a user which is done by verifying user ID to see whether it is the same person who has initiated the transaction and is authorizing it. The third stage is non-repudiation which is the user cannot say he/she did not carry out the transaction. Therefore, digital systems require 5 things to be done in order to be secure that is:
- Possession of an object like a token, key, bank card or debit card.
- Knowledge of something exclusively with the user such as password or OTP which is a perishable secret information.
- Something unique with the user like fingerprints (biometric)
- Something that locates the user within a particular location to see whether the location is authorized or not.
- The time of use.
The use of all these features together is cumbersome and has its own negatives. The debit card/credit card information can be misused if lost or misplaced. There are password recovery mechanisms provided to the user through email. Now if someone gets access to the email account of the user, the passwords can be used by someone else. The OTPs sent through SMS are not encrypted and are vulnerable to man in the browser attack. The more secure a system is made, the more inconvenient it becomes. Someone with a good camera close to the user can use the image of the fingerprints wherever he/she has used the fingers and impersonate the person everywhere where Aadhar cards are being used. In this case, a temperature sensor can be used which can confirm that a live body is using its fingerprints and it is not being misused by a camera image. In these cases, the criminal gets an overwhelming advantage based in any part of the world and no one can catch them because of the anonymizers and proxy servers available. It would take years to trace them.
ISO came with a series called ISO 27001-04 on how the organizations should secure the information available with them. RBI has said that the organizations which handle sensitive and financial information have to compliant with ISO 27001. There is also ISO 20022 which deals with financial transfers between different organizations. In case of credit card or debit card frauds, it is the bank which liable to pay the user who loses money. These days there are clones of banking apps as well. Therefore, one needs to be careful in downloading the genuine app. RTGS and NEFT are fairly secure but mobile wallets are insecure.
The way Aadhar cards are linked to bank accounts is also a little flawed. Now if a person has 6-7 bank accounts and the Aadhar number is linked to one bank account, one can change the account with which he/she wants to get his/her Aadhar number linked. In this case, the previous account is forgotten because one Aadhar can be linked to one account at a time. Now one can easily put his/her black money into the first account which is digitally forgotten. Digital footprint is difficult to maintain here.
Passwords needs to be changed frequently by the users. Users need to be more careful from their side. What is required is to bring awareness among the people about digital security. This is not easy to follow suddenly and security is extremely difficult to practice practically in a country like India where many people are unaware of the nitty gritties of cyber security. It has to be kept in mind that whatever policing we enforce, it cannot be ahead of technology. We have to make sure that there is sufficient back up in the system to ensure the degree of security. There has to be a middle path between totally distributed system and totally centralized system.