Cyber Assessment of Banks: RBI auditing public sector banks is great, but some key issues need resolution
As India celebrated its 68th Republic day, the last quarter of the past year will go down in history as one of the most significant quarters in providing a decisive push towards adopting digital economy. India is witnessing a huge revolution in the way banks operate and payments are made. Payment apps, digital wallets and online transactions have become common talking subjects in every household in the country. The enormity of this change willy-nilly brings in concerns. And security of these transactions is the biggest of them. Addressing these concerns, RBI has issued directives for routine audits and is also planning surprise checks. While these are welcome moves, some of the key issues need to be addressed to assuage genuine concerns of citizens.
After the demonetisation many of the 661.8 million debit card holders in India, used their cards for the first time. Quite a few of these persons had no or little knowledge of security requirements in usage of these cards. This happened while India, in October 2016, was grappling with the fact of nearly 3.2 million debit cards issued by some of its major banks having been compromised due to malware in some ATMs. As a precautionary measure, Banks had sent out an advisory that people should use only bank owned ATMs. After the demonetisation announcement, this was undone. People were told to withdraw money from any bank’s ATM. If this has had any adverse effect is yet to be reported, but vulnerabilities associated with cards remain.
Most cards in use are still non-EMV (Europay, Master and Visa) cards. These non-EMV cards are inherently vulnerable and are prone to letting account related information being read by hacked ATMs. Process to change to EMV chip and pin-based cards in spite of RBI directives in this regard, has been slow.
Besides non-EMV cards and malware prone ATMs robustness of Point of Sale (POS) machines is another concern. BIS prescribes standards for these machines which are imported. To meet the growing demand new POS machines are being purchased without BIS labeling till March 2017. Possibilities of rogue machines mixed with genuine imports cannot be ruled out.
Along with increasing use of cards, online transactions using apps and digital wallets have grown too. As per RBI figures, mobile banking transactions grew 175 percent, while money transacted using mobile banking grew 369 percent in a period between October 2015 to October 2016, when compared to similar period in earlier years.
These digital wallets and apps are regulated by RBI, however, RBI’s, 1 July, 2015 circular, does not clearly spell out security requirements for these payment apps and digital wallets. It’s not too surprising that frauds have started to happen. Paytm’s, recent complaint regarding cheating of around Rs 6.15 lakhs is surely a wakeup call. With government sponsored Bhim app in market and growing usage of digital wallets and payment apps, security measures need to be clearly defined.
Scary as they may sound, these issues are not too difficult to tackle. RBI has already directed replacement of non EMV cards. There is a need to strictly enforce these directions and educate the public regarding security hazards of non-EMV cards. ATMs may be periodically examined by National Payment Corporation of India (NPCI) and labeled secure for use. Benchmarking of POS terminals as per BIS norms may not be relaxed to meet the demand. And lastly, digital wallet service providers need to mandatorily use assigned encryption levels for transactions as well as for storing customer data.
Once these basic steps are taken, only then, surprise audits by RBI and routine audits mandated to the Banks will help in sustaining this digital push year after year.
The author is currently Additional Director General Home guards, Mumbai and former Controller, Legal Metrology, Maharashtra
Source by firstpost….