A home-maker from Kolkata shared her experience with BE. Once she got a call from an unknown number claiming to be her bank representative, asking for her debit card details. According to her, “He said that my debit card had expired. So, he needed the details in order to start the renewal process. I checked my debit card and realised that it had not yet expired. I called up my bank immediately and they told me not to trust anyone who claims to have called as a bank representative.”
Victor Choi, CEO, Balancehero India, in the article titled, ‘The criticality of data security for financial services in India’ for BFSI.com has written about the breaches in financial data security. Hyperlinks to websites are sent as part of messages to dupe people of their money. Such incidents are common today across the globe and are a microcosm of a much larger problem in the financial services and mobile apps space.
A report titled, “Cyber security in India market’ by Data Security Council of India (DSCI) and PricewaterhouseCoopers (PwC), India suggest that digital payments in India will increase at a CAGR of 20.2% - from $64.8 billion in 2019 to $135.2 billion in 2023. This gradual shift has exposed the vulnerability of financial data security. A business analyst from HSBC Bank in an interaction with BE on QR code payment methods said, “It enhances the usability of the apps as merchants are accepting wallet payments from customers. Sometimes it is even used for recommending tailored banking services to customers. Some banks are planning to use it in their multi-utility cards in place of the EMV chips as these are less costly and more secure.” She further added, “It is often used for uniquely identifying the customers much like the CIN and provides high-capacity encoding of data and a structured appending feature, which makes it more secure than the OTP and the user-defined passwords.” However, despite the security measures, innovation in payments technology using Artificial Intelligence (AI), blockchain, Internet of Things (IoT) and introduction of mobile point of sales (POS) devices have also contributed to the growth of potential security threats.
Experts are of the opinion that given the sheer number of stakeholders involved in the process of enabling a user to access an app, it is crucial to cover all bases when it comes to data security. Choi in his article wrote, “Organisations operating in the fintech sector need to make sure all transactions that are secure by adapting best security practices. A few examples of such practices are - safe app hosting, leak-proof data storage, using firewalls and encrypting communication channels, access control, and other such mechanisms which ensure users' data is not compromised due to technical errors.”
A research by hardware networking firm Cisco revealed that one in three Indian organisations are facing huge financial losses from security breaches and 24% of companies lost around $1 million or more in 2019. The report stated, “Hackers are no longer just targeting IT infrastructure but have started to attack operational technology infrastructure, intensifying the challenge for companies.” The 2019 Asia Pacific CISO Benchmark Study research disclosed that nearly 37% of Indian organisations following a data breach suffered downtime of over nine hours. Around 46% of companies surveyed stated that they have received more than 5,000 threat alerts in a day, of which 43% went unattended.
Safeguarding data privacy
The DSCI-PwC report states that the nature of services provided by the banking, financial services and insurance (BFSI) sector has resulted in the sector being governed by detailed prescriptive guidelines and regulations. It said, “Regulations are becoming ‘granular’ and ‘tighter’ and at the same time, more segments of regulations are coming into the ambit.” There are high risks due to the usage of legacy systems and applications. However, the regulators are also considering risks that have surfaced due to emerging technologies. Furthermore, there has been an increased enforcement of cyber security in this sector. For instance, in 2019, between January and February, the Reserve Bank of India (RBI) levied stringent fines of $10.16 million on 36 public, private and foreign banks for non-compliance with the cyber security rules.
The cyberattacks on the BFSI sector have evolved over the years – sophistication of cyberattacks are rising as financial institutions are learning to overcome the less sophisticated attacks. Hackers and cyber criminals are exploring new attack channels and deploying multi-vector attacks. They are also targeting the core banking systems in order to maximise the returns from these attacks.
The government is also proactively working to mitigate these risks at policy levels. The Government of India is working with the Data Protection Bill this year which is expected to protect user data with data-breach reporting mechanisms, huge penalty for non-violation etc. It is imperative on the part of consumers to be aware of data security issues by following personal security measures. Downloading apps from reliable and verified sources, not clicking unverified links, not share personal financial data with anyone, not to get lured with freebies, not using financial apps on unverified network, securing the handset with password etc. are some of the practices that need to be followed in order to avoid breaches of financial data security.