Digital payment start-ups unaware of high security risks: FireEye

As India embraces a cashless economy, there has been a sudden spurt in new mobile wallet companies -- but most of these start-ups are setting up digital shops without knowing the cyber risks involved, a top executive from US-based cyber security firm FireEye has emphasised.

This is a dangerous trend when the country still lacks proper infrastructure and legislation to fight against cyber criminals.

"While India is rapidly embracing a cashless consumer economy, payment technologies are growing in adoption faster than awareness of the risks involved," Vishak Raman, Senior Regional Director for India and SAARC, told IANS.

"Many of these are running as startups without sufficient attention to security. The rapid shift to digital transactions will greatly increase our collective exposure to cyber security threats -- essentially fraud and theft," Raman added.

In a first, the Central Bureau of Investigation (CBI) on Friday registered a complaint against 15 people for allegedly claiming fraudulent refunds worth Rs 6.15 lakh from the leading payment gateway Paytm.

A Paytm spokesperson, however, said in a statement that the platform has robust risk management practices but the case has brought the risks to the fore.

According to Raman, in the absence of data breach notification laws and the mandate to publicly disclose attacks, Indian enterprises often do not know how vulnerable they are.

"This creates a false sense of security among CISOs/CIOs that their traditional defences are working fine and that they are immune from advanced attacks organisations elsewhere are facing," Raman noted.

Paytm registered over seven million transactions worth Rs 1.2 billion in a day after the demonetisation drive began on November 8.

Another mobile wallet major, MobiKwik, which launched MobiKwik 'Lite' late last month, registered over two million downloads within the first two days of the 'Lite' offer.

Global payment solutions provider PayU has also observed a hike in average daily transactions from Rs 1.2 million to Rs 2.5 million post-demonetisation.

This is how hackers can attack your money in e-wallets: Create multiple fake accounts to collect money in small amounts; cheat people who are digital novices by psychological manipulation; and breach servers and steal data.

Even though most Indian organisations lack effective defences against ransomware, as threats become more pervasive and frequent in India, organisations are slowly becoming aware about the need for advanced protection.

"However, it takes a combination of technology, intelligence and expertise to effectively prevent, detect and respond to attacks," Raman told IANS.

When asked where India stands when it comes to vulnerability in 2017, Raman said firms in Asia and particularly in India often struggle to discover that they have been breached.

For example, "the median time between compromise and the discovery of an attack was 520 days in Asia Pacific, compared with 146 days globally. That is a massive difference," Raman contended.

In 2016, India faced a wave of cyber security incidents, ranging from targeted attacks on government organisations to ATM malware attacks.

"When coupled with its ill-preparedness to combat potential risks associated with cashless transactions and pushing hundreds of millions of citizens' private information into the digital space, India stands quite vulnerable," the FireEye executive cautioned.

The sophisticated, financially-motivated espionage actor groups focusing on critical systems and maturing businesses will be prevalent in 2017 as these enterprises are often vulnerable to compromise.