Development and launch of transaction platforms in squeezed
timelines may lead to firms missing out on security functionalities.
In light of the recent breach of debit cards of major banks
and a sudden proliferation of new technological features by financial services
firms to facilitate digital payments, in the backdrop of government’s stress
for a cashless economy creates a vulnerable zone for cyber breach. This
particularly attains significance, considering the squeezed timelines in which
some of these features have been rolled out.
Several financial technology companies and banks, both
private and public, have introduced a slew of features to facilitate digital
payments in the backdrop of the Centre withdrawing 86 per cent of the currency
(by value terms) from circulation.
Wallet firms Paytm and MobiKwik
launched services to enable merchants using their platform to accept payments
from customers not using these wallets on November 23 and November 28,
respectively. Where Paytm launched an app-based point of sale terminal,
MobiKwik launched a stripped-down version of its app called MobiKwik Lite,
which is a payment gateway.
Another financial technology company Razorpay launched eCOD
feature on November 15, allowing its merchants to collect payments from their
customers, at the time of delivery, via non-cash payment modes like Unified
Payments Interface (UPI) or digital wallets. A delivery person can also
generate an instant payment link at the time of delivery that enables the
customer to pay via credit, debit card or net-banking.
“During shortened time frame for launch of products there is
a high likelihood of all processes not being followed and some of the steps may
be overlooked. In this, there is a possibility of appropriate testing for
cybersecurity not being performed which may expose the product to various forms
of attack. There is not much precedence of this being observed in banking
products but in non-banking products this has been witnessed,” said Atul Gupta,
partner, IT Advisory, KPMG.
At the launch of Paytm’s service, CEO Vijay Shekhar Sharma
had explained how the idea of having the app-based point of sale terminal for
India was conceived earlier, but kept it on the backburner. “But as soon as we
saw demonetisation, we said let’s just start working on it,” Sharma said,
adding that the firm started working on the feature less than a week before its
launch.
Only a day after its launch, Paytm rolled back the service
citing concerns around customer data and privacy, and said that it has decided
to add additional certifications and features before making it available to
merchants.
MobiKwik was also quick to develop its new service, through
which a merchant could have a link sent to his customer for making the payment.
“We didn’t believe that we’re serving the entire population of this country even
before November 8. It was in the back of our mind, but we had not started any
work … but as soon as it happened we tried to train people with MobiKwik but we
saw that this is not going to scale. So, we put together a very small team; in
ten days, they’ve put this together and have got the app to launch,” MobiKwik
CEO Bipin Preet Singh said.
Apart from these two, several other cases of big banks
getting on-board with the National Payments Corporation of India’s UPI platform
post November 8 also indicates the sense of urgency with which matters
regarding increasing traffic for digital payments have been addressed.
Nilesh Jain, country manager (India and SAARC), Trend Micro
said that with the increasing number of online transactions, there was a
possibility of companies missing out on basic security functionality in the
hurry of developing new applications and going back to the customers. “This is
why in the last couple of months, we have seen some of the largest banks of the
country getting compromised — either their ATM cards, debit cards, or servers
in some cases,” he said.
“There could always be a risk when someone designs an
application, which is not completely foolproof.
There could be vulnerabilities from a source-code
perspective if it was done in a haste, it does not have security protocols
because people jump on the bandwagon on account of the mad-rush,” said Amit
Nath, cybersecurity firm F-Secure’s head of Asia-Pacific (corporate business).
Nath said that while in the shorter term there were possibilities
of people transacting digitally being conned, the risks were imminent for the
longer term too. “Someone may have hacked your system and been there for as
long as eight-nine months before he decides to make a move. We call this
breach-blindness. Now because of demonetisation, a lot of people and
organisations may not get affected immediately but nine months later,” he said.
Cybersecurity companies, on back of these red flags, have
also witnessed increased demand from their clients to ensure any vulnerabilities
are addressed before any breach occurs.
Comments
Post a Comment