Demonetisation: Going cashless without preparation is a dangerous opportunity for digital fraud

The recent demonetisation of Indian currency notes is a welcome move for dealing with black money. However, the replacement of the demonetized notes has become long-drawn, given the chaos at ATMs and banks.


By Asheeta Regidi

The recent demonetisation of Indian currency notes is a welcome move for dealing with black money. However, the replacement of the demonetised notes has become long-drawn, given the chaos at ATMs and banks. The elusive Rs.500/- note has only added to the woes of the common man. The result of this move, whether intended or unintended, is a shift to cashless transactions. The suddenness of the demonetization move has led to a spurt of digital payments, including among people with little or no knowledge of the risks involved. The rush towards digital payments is unfortunately a huge opportunity, which cybercriminals will certainly cash in on.

The move to digital payments

The recent ATM hacking in India, which compromised over 30 lakh debit cards, resulted in a loss of confidence in digital payments by Indians everywhere. Barely 3 weeks since then, before any steps were taken to restore their confidence, people have been forced to go completely cashless. This includes people, such as the poor and those in rural areas, who have little or no understanding of the online world, or the risks involved with digital payments.

From grocery shopping to taxi rides, Indians all over were forced to turn to digital payments to get on with their day-to-day lives. The demonetisation move has seen a huge spurt in the use and purchase of e-wallets, use of wallets in-built in apps, and in mobile payments. There has also been a huge increase in the purchase of Point-of-Sale devices. Many sellers who previously conducted cash-based transactions, have turned to digital payments to keep their businesses going.  E-commerce companies have introduced card-on-delivery as an alternative to cash-on-delivery.

Precautions

With the rush to keep life going normally, cybersecurity is likely to take a backseat. As an immediate precaution, the following needs to be kept in mind:

-  Unsecured portals and apps: The use of unsecured portals, unverified apps and wallets all become a point of access to sensitive financial data by the criminal.  Ensure the presence of the ‘s’ in the ‘https’ URL before making an online payment. With the turn to digital payments, any unverified apps or apps for unauthorized stores downloaded onto mobile phones should be deleted, as these can become a point of hacking. Before downloading or using e-wallets and other digital payment apps, ensure that they are an authentic app, from an authentic store. Read the title of the app very carefully, and go through the terms and conditions of the app before using them.

- E-mail Spam and Spearphishing: E-mail spam is obvious tactic, such as fraudulent e-mails promising an exchange of unauthorized black money for the new currency.Another common tactic used by criminals is phishing, or the imitation of a specific organization, such as a bank, to attempt to extract financial data. One form is spearphishing, where e-mails are designed to replicate (for example) the bank’s e-mail. For example, a seemingly legitimate e-mail from your bank can ask you to submit your debit card details as preliminary information for exchange of the demonetized notes.

- IVR Phishing: SMSs are used in a similar manner, for example, you may receive an SMS informing you that you will be given an appointment with your bank for exchanging demonetized notes on contacting the number given in the SMS.This introduces another form of phishing, IVR phishing, or phone phishing. People dialing the phone number are connected to what sounds like a valid call center of the bank.  As people are used to giving details like their ATM pins or Mobile PINs to their bank’s call centers, they are likely to believe they are talking to a valid center and disclose this information. Remember to double-check any such e-mails/ SMSs with your bank. Ideally visit your bank branchphysically and disclose any such information there, rather than over the phone.

- Use of PoS devices: The huge spurt in the demand for PoS devices may have led to unsecure PoS devices being sold to unsuspecting sellers. Without any mandate under law, sellers are unlikely to be very cautious about the PoS devices they purchase. Detecting a PoS device that has been tampered with is,unfortunately, difficult. It is best to exercise some caution, such as through the use of a separate account with a smaller amount of money in it for such payments.

Lastly, any unauthorized activity must be reported immediately, to your bank, and to the nearest police station. The sooner such activity is reported, the sooner measures can be taken to prevent further damage.

Need for cybersecurity laws before going cashless.

Mr. Arun Jaitley, in an interview to Economic Times, stated that the demonetization wasa logical step in the move towards a cashless society in India. While a cashless society is, perhaps, the future, rushing into it without adequate preparation is too big a risk.

To smoothen the process and ensure the financial security of the individual, the introduction of laws mandating cybersecurity measures across corporations is required. Last month’s debit card fraud exposed this huge lacuna in Indian law, despite the financial sector being among the few sectors with cybersecurity regulations. Existing regulations like the RBI’s Cyber-Security Framework for Banks and the Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Fraud, have proven to be inadequate. For example, ATMs in India use the outdated Windows XP operating system, a system that can now be easily hacked for the installation of malware. In fact, the introduction of malware in several ATMs in considered to be the cause of the debit card fraud. Even  e-wallets are only required under the RBI’s e-wallet regulations to have ‘adequate’ information and data security systems in place.

Minimum standards for cybersecurity need to be prescribed and mandated through law. Corporations with higher cybersecurity standards should be awarded some kind of incentive, such as tax incentives, to encourage the adoption of such cybersecurity measures.  Reporting of data breaches should also be made mandatory. This will encourage sharing of information between banks, corporates and other institutions, which can greatly help cyberfraud prevention and control. These steps can go a long way in giving the people the protection they need while turning to the convenience of a cashless society.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.