Why India's financial system is vulnerable to hacks

Image source, Getty Images
Image caption,
The details of 1.2 million Indian debit cards were available online last month

A recent cyber-attack on a nuclear power plant has sparked a debate on the country's ability to protect itself in a cyber-war. But experts say Indians should be more worried about the vulnerability of its financial systems. The BBC's Ayeshea Perera finds out more.

News that India's biggest nuclear plant - the Kudankulam facility in the southern state of Tamil Nadu - had been subject to a cyber-attack made headlines across the country last month.

It sparked conversations about whether the country was "cyber-ready" and many questioned whether it would be able defend critical infrastructure from malicious digital attacks.

But there is a much bigger issue that affects millions of Indians - debit card hacks and other forms of financial fraud.

Just last month, India's central bank asked banks to investigate a warning by the Singapore-based cyber-security firm Group-IB that the details of 1.2m debit cards were available online.

And last year hackers were able to siphon off 900m rupees ($12m; £9.7m) from Cosmos bank in the western city of Pune through a malware attack on one of its data suppliers.

Why is India so vulnerable?

"India's financial systems are extremely vulnerable, because we still rely on international banking networks like Swift to make transactions. International gateways are open vectors of attack for India," Arun Sukumar, head of the cyber initiative at the Observer Research Foundation think tank, told the BBC.

And a report by cyber-security company Symantec said India was among the top three countries in the world for phishing and malware attacks.

Image source, Getty Images
Image caption,
There are an estimated 900m cards operational in India today

Although this comes down to the sheer size of India's digital population - the population of France is added every month to the country's internet - it is a big concern because many first-time internet users are being pushed to use digital payments.

In November 2016, for instance, when the government suddenly removed 80% of the country's cash from the economy by saying that 1,000 and 500 rupee notes would no longer be valid, Prime Minister Narendra Modi heavily promoted digital payments as an alternative.

Mobile payment platforms - both indigenous (Paytm) and international (Google) - have since become a massive industry in India. A report by Credit-Suisse estimated that mobile payments in India would become a $1tn market by 2023. Credit and debit card payments are also popular, with an estimated 900m cards operational in India today.

"Many of the newest entrants to India's internet - more than half the 600 million-odd total users - are from the middle or bottom of the pyramid. This means that very often, their digital literacy is low, or they are migrant labourers working in states where they are not familiar with the language. So they are very vulnerable to fraud," technology expert Prasanto Roy told the BBC.

"And secondly, there is inadequate reporting of fraud by banks, which means sometimes consumers are not even aware of what has happened."

What kind of fraud is happening?

Financial fraud in India takes many different forms. Some involve hackers fixing skimmers and keyboard cameras to ATMs, which duplicate the card details of unsuspecting users. Others involve calling people up and tricking them into handing over information.

Image source, Getty Images
Image caption,
A lack of ATM standardisation is confusing to first-time users

"The problem is that in a digital transaction lines are blurred and confusing. In the real world there is a clear distinction between giving and receiving. But on a mobile payment platform, this is not always clear. For instance, someone trying to sell a table online might be called by someone posing as a prospective buyer, offering to make an online payment," Mr Roy explained.

"If that person says that he or she has made a payment and tells you that you will get a code via text message to confirm the transaction, many users would think nothing of it, even if they are asked to tell that person the code. The next thing they know is that the money has been deducted from their account."

What improvements can be made?

One problem is that the systems themselves are not secure or transparent enough. In the Cosmos fraud for instance, the software was not able to throw up red flags when so many transactions were compromised. And by the time the fraud was discovered, a huge sum of money had been lost.

Furthermore, a lack of standardisation also makes transactions confusing, especially for first-time users. ATMs for instance, come in many different forms and each payment app in the country has a different interface.

Secondly, Mr Sukumar points out that there is also a human problem. People lack even basic awareness of the dangers, leaving both themselves and sometimes entire systems at risk.

Image source, Getty Images
Image caption,
India's mobile payments market has seen exponential growth

He made a comparison with the 2010 malware attack on an Iranian nuclear plant: "After all, the Stuxnet attack was made possible by an errant staff member who reportedly plugged an infected USB drive into one of the computers at the Natanz nuclear plant."

What is the government's role?

Mr Roy says it is for the government and institutions to provide security in financial transactions - not the end user.

"Given the rate of India's internet growth, it is not possible to rely on just education alone. It's not possible for everyone to keep up with the sophisticated methods of hackers, especially when they are constantly changing tactics and methods. So the onus has to be on regulators and payment firms to protect users," he said.

The other problem is that communication between the various cyber-security organisations is just not fast enough.

The Computer Emergency Response Team (Cert), who are the frontline defenders of India's digital infrastructure, are sometimes too slow to respond to reported threats.

But India is already aware of this. The country is formulating a national cyber-security policy for 2020 and officials have identified six critical areas where policy needs to be where special attention is needed. Finance security is one of these areas.

Ideally, says Mr Roy, the Certs being planned for the six critical areas should communicate with each other, with oversight from a coordinator.

It is only then that India will be able to effectively respond to the risks that come with moving to a largely cashless economy.