Date: 2019/08/18

Report on

THREATS & SECURITY

IN
DIGITAL PAYMENT
By-
Snigdha Singh
Team : Security Ninjas

AMRITA VISHWA VIDYAPEETHAM

DEPARTMENT OF MANAGEMENT
(2018-2020)

1
Contents
Introduction .................................................................................................................................................. 3
Security measures on end user devices ........................................................................................................ 4
Threats .......................................................................................................................................................... 5
Fund diversion attacks .............................................................................................................................. 5
Spear phishing ........................................................................................................................................... 6
Malicious mobile application based attacks ............................................................................................. 6
Preventive measures in digital payment ...................................................................................................... 7
Cyber forensic and monitoring technologies ............................................................................................ 7
Are we doing enough to address cybersecurity risks? ............................................................................. 7
Best Practices for Digital Payment Security .................................................................................................. 8

2
 Introduction

Last few years have witnessed many high impact cybersecurity attacks, globally, across sectors such as
healthcare, e-commerce, telecom, financial services, government services, manufacturing, and
hospitality causing far reaching implications and establishing cybersecurity as one of the top business
risks. Cybersecurity risk has climbed to become top three risks where CEOs would like to invest. The
magnitude of risk has exponentially increased with enhanced adoption of digital channels by businesses
to interact with customers and capture of information across industries.

Cyber risk is not limited to geographical boundaries and corporates in India have
been fairly exposed to this risk. Our study indicated that nearly 72 per cent of
organizations witnessed some form of cyberattacks. The attacks have
accentuated with significant drive on adoption of digital payment channels over
the last six months with phishing, Distributed Denial of Service (DDoS) and spam
organizations on digital payments channels

being most widely used attack vector.

Fig : Nature of cyberattacks faced by

Nearly 88 per cent of city crowd respondents preferred to adopt digital payment
channels; however, following two major causes act as barriers for adoption-
• Cybersecurity
• Awareness

3
 Security measures on end user devices

Users today are accessing digital channels through multiple devices, and studies indicate that nearly 48
per cent of the users prefer using mobile phones.

Smart phones have emerged as a preferred mode for carrying out digital payments since it enables
communication – anytime, anywhere, provide applications for ease of access. While doing
transactions/business is more convenient by the use of mobile devices, it also exposes individuals and
organisations to cyber security risks such as online fraud, information theft, and malware or virus
attacks.
These may happen because of the any of the following:

 Impersonation, SIM swapping

Impersonation occurs when a fraudster steals information and then poses as a genuine user to do a
transaction using the stolen e-wallet details and password. SIM swaps occurs when fraudsters first
collect the user’s information, and use it to get his mobile phone SIM card blocked, and obtain a
duplicate one by visiting the mobile operator’s retail outlet with fake identity proof. The mobile
operator deactivates the genuine SIM card, which was blocked, and issues a new SIM to the fraudster
who then generates one-time passwords using stolen information.
 Man-in-the-middle attack and Phishing
Sophisticated threats like Man-in-the-Browser or Man-in-the-Middle attacks intercept online
transactions by reading payment data from the Internet browser while the user is typing his credit card
or bank account details. Phishing attacks are used to steal users’ login details and personal data,
making e-wallet accounts susceptible to fraud.
 Malware Attacks
Malware attacks on apps have threatened the safety of user’s money. An attacker can inject a malware
to attack the app and collect details from his phone to misuse it.
 Inadequate security measures on devices.
Smart phones with internet access are exposed similar to traditional computers from security
perspective, however, these devices are normally not secured through various security tools – such as
antivirus, anti-phishing, antimalware, etc. This exposes the users to cyber security risks

4
  Cracked applications installed on devices
Users have multiple applications installed on their mobile phones, which also includes the ‘cracked’
applications that may have access to information across the device. These applications potentially
access financially sensitive information and pass on to attackers

 Vulnerable/unpatched operating systems

India has a mix of users having smart phone with Android™ (76.85 percent) and Apple™2 operating
system (2.33 percent). The nature of some of these operating systems are extremely open which
supports collaboration, but also exposes large set of users to potential security issues.

Threats
Traditionally, bank frauds happen due to risks around identity theft, phishing, unauthorised
transactions, and fraudulent transactions and so on. However, criminals are gradually becoming more
sophisticated in their use of advanced tools and techniques. They now employ malware infections,
remote code execution, and man-in-the-middle of transactions as well as system vulnerabilities to
perform unauthorized as well as fraudulent transactions. Fraudsters exploit zero day vulnerabilities or
alternative payment methods such as digital wallets as well as government initiatives such as UPI have
paved way for newer techniques to perform digital frauds. A few illustrations of the cyber frauds
prevalent in India are as under:

Fund diversion attacks

These type of attacks are becoming increasingly prominent in India, where more and more
companies with export businesses are targeted. The typical modus operandi of this attack involves
infecting computers of key personnel in accounts receivables department or the companies e-mail
server with a view to obtain the credentials of their e-mail accounts. By using Trojan, the cyber fraudster
stealthily monitors the e-mail flow between the victim and the customers over a period of months. At an
opportune time, the hacker strikes by impersonating the victim and directly communicating with the
customer, asking them to remit funds into an account of his choice, which is instantly emptied out using
an international laundering syndicate

5
Spear phishing
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organisation, seeking
unauthorised access to confidential data or transfer of funds. As with the e-mail messages used in
regular phishing attacks, spear phishing messages appear to come from a trusted source.

Malicious mobile application based attacks

An increasing number of cases have been noted where mobile users are presented with attractive online
offers and enticed into downloading and installing unknown mobile applications. Good majority of the
users either always grant permission or simply do not know enough about the kind of consent they may
have granted while installation of applications. In this way, malicious applications enter the mobile
devices. Depending on the level of permissions these applications have been granted, the hacker
connects to the user’s mobile phone and entices/ demands the user or his/her contacts to make
transfers through payment wallets.

6
 Preventive measures in digital payment

Cyber forensic and monitoring technologies

While it is evident that criminals prefer to carry out illegal activities using computing devices, making it
hard for organisations and investigators to establish culpability. To detect cybercrime, organisations are
increasingly leveraging on cyber forensics to know accurate facts of the incidences.

Cyber forensics encompasses the recovery and investigation of material found in digital devices,
following standard procedures acceptable in a court of law. It is also used by private sector during
internal corporate fraud investigations or intrusion investigations (for example, investigating a system
breach that occurred from outside or loss of customer data).

Law enforcement agencies are required to increasingly cooperate among themselves to identify, track
and extract evidences in order to capture criminals. Going forward, digital forensic evidence such as
system logs and user identity details would be required along with the data from telecom, internet
service providers, and cloud service providers such as IP address, GPS coordinates, for effective spatial
and temporal analysis of the crime.

Are we doing enough to address cybersecurity risks?

Country has adopted digital payment channels with significant increase in volume (and value) of
transactions, however, any significant security incident can have adverse impact on the usage of this
channel. It is imperative to have structured approach to security, with following key components:
Security strategy and governance

• Design and implement robust cybersecurity frameworks

• Identify ’crown jewels’ and protect them
• Establish adequate measures for protection from third party risks
• Evaluate the changing threat landscape and align risk treatment strategies
• Empower the users through enhanced security awareness
• Establish robust measures for establishing user identity and authentication for transactions
• Establish advanced authentication measures, such as risk based/adaptive authentication
• Deploy adequate technical and security measures to deal with ’cyber warfare’ Cyber response
• Establish comprehensive cyber and incident response plan
• Conduct regular cyber drills to enhance preparedness

CERT - Indian Computer Emergency Response Team

7
 Best Practices for Digital Payment Security

 Enable Passwords On Devices: Strong passwords should be enabled on the user’s phones, tablets, and
other devices before e-wallets can be used. Additional layers of security provided by these devices
should be used.
 Use Secure Network Connections: It's important to be connected only to the trusted networks. Avoid
the use of public Wi-Fi networks. More secure and trusted WiFi connections identified as "WPA or
WPA2" requiring strong passwords should be used.
 Install Apps From Trusted Sources: Reading the user ratings and reviews can provide some clues about
the integrity of the e-wallet app. The user must check for the e-wallet provider to be showing strong
legacy of securely, reliably and conveniently handling sensitive financial data and providing customer
support (in the event of card loss or account fraud).
 Keep Login Credential Secure: Avoid writing down information used to access the digital wallets in plain
view or storing them in an unprotected file to avoid their misuse.
 Create a Unique Password for Digital Wallet: Use hard-to-guess password unique to the digital wallet to
prevent against the risk of unauthorized access.
 Stay vigilant and aware of cellphone's network connectivity status and register for Alerts through SMS
and emails: The user should not switch off his cellphone in the event when numerous annoying calls are
received, rather answering the calls should be avoided. This could be a ploy to get him to turn off his
phone or put it on silent to prevent him from noticing that his connectivity has been tampered with. The
customer should realize that when he is not receiving any calls or SMS notifications for a long time
against his e-wallet uses, he should make enquiries with his mobile operator to be sure about not falling
victim to such scam.
 Identify Points of Contact in case of Fraudulent Issues: For any fraudulent activity occurring on the
user's account in the scenarios like when phone is lost or stolen, an individual card stored in the wallet is
lost or account has been hacked, appropriate points of contact for resolving the issues should be
understood by the user. The user must completely understand the e-wallet providers contract terms
and conditions.