Skip to content

Policing Digital India.

November 17, 2017
In my previous article published here about nine months back, I wrote about the birth of an Idea called Digital India, its vision, steps taken for its implementation, its achievements and the overall goal of this programme. What we missed of the Digital India Programme were its Limitations. Like every medicine we take has its negative side effects on our body, the same can be said for any development programme initiated and implemented by the government.
Policing the Digital India Programme has now become the focal point. As this programme proceeds further towards its goal  we are getting aware of its shortcomings and limitations as well as of the people who can exploit it selfishly both from within the country and from outside. The threats are enormous and as India paces forward digitally so does these threats which are getting bigger and more powerful. They can be so powerful that they can cripple India in one stroke economically, politically and on the defensive front. We will lose the war before we know what happened.
Let us take few real life examples.
In 2007, a small country Estonia faced a massive cyber attack from unscrupulous Hackers. Suddenly the vital infrastructure came crashing down. From newspapers websites to banks to power system everything collapsed. It took several days for the country to recover.
A decade later the cyber criminals are more powerful, intelligent and secretive but not all critical infrastructures are strong enough to resist the cyber attack.
In 2015 the cyber hackers got control of Ukraine power infrastructure crippling it to resist the nationalisation of the power grid owned by the government.
In 2010, India was the worst affected by computer worm called Stuxnet. About 15000 computers were infected by this worm. About 15 computers were installed in critical infrastructure facilities in Gujarat and Haryana electricity boards including an offshore oil rig of state owned petroleum exporter ONGC.
Concerns  has been raised by the Indian domestic electric equipment industry over the contracts awarded to the Chinese companies for the installation of Supervisory control and data acquisition systems ( SCADA) in more than 18 cities. . SCADA is a computer based industrial automation control system that practically makes factories and utilities run on their own. The government has taken note of this concern and has ensured that only audited and tested equipment are connected to the electric grid. Also the government plans to develop a testing facility for cyber security where source equipment can be tested for malware content before its installation and periodically after its commissioning.
An attack on the electricity grid can be more debilitating for a country than a military attack since electricity is the life of the nation. All the vital infrastructures Defence, Banking, telecom and transportation are vulnerable to the cyber attacks.
In 2016 a terminal at India’s largest container port Jawaharlal Nehru Port Trust was hit by the cyber attack. The terminal which could handle 1.8 million containers units was grounded to halt. The attack was mounted through a malware called Petya.
An IIT Kanpur study shared with parliament’s committee of finance shared that attacks by the Equation group which according to wiki-leaks report is a clandestine CIA AND NSA programme infected India’s telecom, military and research institutes.
Recently the American media alleged that the recent elections in United States were manipulated and rigged by the Russian Hackers to ensure Republican Party victory and installing Donald Trump as American President as it would serve the Russian interests.
China is seen a major threat to India’s vital infrastructure. Even Pakistan can launch a cyber attack on India’s infrastructure with the help with its terrorist organisations.
A cyber attack on critical infrastructure could be a preferred mode of attack in a future war. It can cripple a nation without firing a single shot.


Digital Payments on the Rise 

The massive growth of mobile industry in India catapulting it to number one position in the world  especially in the area of Smartphone, the entry of major banking and non banking financial institutions into  the market offering digital payment services has considerably boosted the consumer’s confidence in the Digital payment system particularly the mobile payments. Payments through mobile are easy due to user friendly software, it can be made anywhere in the country and mobiles are easy to carry and operate to any kind of place unlike the laptop computers.
Cashless payments have increased 22% from October 2015 to October 2016. Mobile banking Transaction grew 175% while the money transacted using mobile banking has grew 369% from October to October according to India spend analysis of RBI (Reserve Bank of India) data. IMPS (Immediate payment system —    money is transferred using text messaging or online banking) transactions has increased 116% while IMPS transfers grew 150% in the year ending October 2016. According to a study conducted by Google and BCG (Boston Consultancy Group), digital payments industry in India will grow 10 times to touch $500 billion by 2020. The Google-BCG report also identified that the top three services for which Indian consumers prefer online payments to offline payments include online shopping, utility bill payments, and movie ticket purchases. Indian consumers are 90% as likely to use digital payments for both online and offline transactions. According to the Reserve Bank of India (RBI), the volume of mobile wallet transactions doubled during April 2015-February 2016 period to cross 55 crore.
Thus it could easily be inferred from the above statistics that the Digital Payments Industry in India is booming. The proliferation of Mobile devices, Mobile Apparatus and operating system has led to the innovation in the mobile industry and more so in the mobile payment system. Today, India has a number of cashless methods—banking cards, mobile wallets, AEPS, UPI, BHIM, Micro-ATMS, internet banking, etc. Banking cards are our popular debit/credit/pre-paid cards. They have been in the system for quite long and continue to grow with increased number of shops and establishments accepting them. Mobile wallets are used to make payment based on mobile number of the other party or a QR code. UPI/BHIM and mobile wallets ride on the cell phone. The success or failure of mobile-based payments in India is something that we should keenly watch as we operate on different constraints and opportunities.
Thus from the laborious cheque based system to the present Digital payments that are completed in a fraction of seconds, we have come a long way. The trend is going to continue and we are going to witness further disruption.
However we have to take into account that apart from the convenience there are risks, threats and vulnerabilities involved also in the Digital Transactions. If these are not noticed they will widen the mobile attack landscape. The wealth of information that is stored on and transmitted via mobile devices creates unmeasured opportunities for attackers to target user data (personal, confidential, and sensitive information) regardless of the motive.
Payment data can be divided into two parts. One is Identification data and other is authentication data. Identification data is to identify the individual like his unique I-card number, aadhar card, Voters I card, Pan card etc. Authentication data is a Pin or a fingerprint that helps us to identify a person who he claims to be. Both these type of data (Identification and Authentication) are required to be protected at all points of time and the latter being highly sensitive and requires stricter security requirements.


Security Breaches
As the Digital India progress forward towards its goal so does the Cyber criminals. With the Digital payments growing organically and inorganically (with demonetisation) over the last few years, India has started to witness its shares of payment security breaches. Some of these breaches are Debit card breach, UPI compromise, interbank transfer hack or the hack of leading mobile wallet company are all publically known. Bur apart from all these breaches, there are number of security breaches that are not reported to the public due to lack of public disclosure norms in the public.
Recent breaches like Equifax  happened in United States proves that payment data is not only with the processors but also with the third parties like credit rating companies and the compromise can happen in any entity in the ecosystem. In July 2017, a mobile malware called Bankbot compromised over 400 apps on the Google play store. An app that is infected by Bankbot is capable of creating ‘fake’ Internet banking login screens and even credit/debit card entry screens. So, when a user enters their banking details in these screens, they are actually handing over the information to the attacker. An Android Banking Trojan called Svpeng was detected in July 2017 to have attained key logging functionality (key logger – malicious software that records what a user types on their keyboard). And this functionality allowed the Trojan to steal confidential information from other apps installed on the infected phone.
These are just a few of the many examples of advanced threats that are being increasingly developed by attackers to hunt down their victims. And to combat such threats, we need to secure our Smartphone with a defence system that is not only proactive but multilayered too.
The response to these breaches and concerns has been mixed .On the regulatory side some action has been taken but there is lack of effective enforcement. . For example, a 2013 RBI guideline says that banks are required to adhere to payment security standards (PCI-DSS) but the compliance rates amongst banks are still in single digits. Even the banks that comply end up with restricting the scope undermining their very compliance.
For mobile wallets, RBI has issued a few guidelines for getting a security audit conducted but without a benchmarking payment security standard for each of the cashless methods. This allows each of the players to define “what is securing”, making the exercise ineffective.
Payment breaches are borderless, and we in India need to learn from all the breaches that have happened globally apart from our own set of breaches.


Setting Security standards.

What we need is to beef up our security system as we do in case of a terrorist attack in our country. Adopting International security payments standards across cashless systems can help secure us from these Cyber attacks. To secure the cashless methods unique to India like Bhim, UPI, AEPS the govt. must set up an expert committee to study the international payment standards in cashless systems and modify it to Indian environment.
The Defence payment Act with inter-ministry representatives in one such step taken by the government in this direction and we hope that it consists of Digital payment experts who can address the issue and define the security standard. This will help us to foster digital payment innovation in a secure environment.
Timely enforcement of digital payment security standards will not only help our country to achieve a secure digital payment ecosystem but also achieve the country’s dream of going cashless.


 Suggested Readings.

  1. Mobile Payments are on the rise by Rajib Singha.
  2. Payments on Mobile Phone is not as safe as you think by Dharshan Shantamurthy.
  3. CriticalInfrastructure on target : A cyberattack that could be worse than the war. 
  4. Digital india by Anurag Dubey




No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: