by Nirmal John
In early March 2017, in response to a question in the lower house of the Parliament, minister of state for home affairs, Hansraj Gangaram Ahir, said:12 ‘India is working for bilateral cooperation with around fifteen countries for exchange of information and data pertaining to cybercrimes and related operation in law enforcement.’ That is certainly a start, but it is time for India to take the leadership in initiating multilateral mechanisms to go along with the bilateral partnerships that the minister was referring to.
What makes matters even more complicated for India is that the country’s existing law enforcement network is far from being able to tackle, or even understand, investigation of financial cybercrime. India’s law enforcement system is criticized often enough for being a crumbling, creaking institution when it comes to investigating traditional crimes, let alone crimes of the newer ilk. Financial investigations require the law enforcement to be nimble on its feet as well as technologically proficient, but that is often not the case. When faced with financial crime and theft of money through data breaches, the police often don’t really grasp the nature of the complaint itself, and those who are victims, like Gupta, have to explain the issue in detail before cops take cognizance of the crime.
Adding to the number of cybercrime police stations is a step in the right direction. With the sharp rise in tech-related crimes, the existing stations are being stretched to the limits. The crux of the problem is that addition of cops with the skills and the nous necessary to solve technology-led crimes is not able to keep pace with the blistering growth in such crimes.
In mid-November 2016, the union minister for information technology and law, Ravi Shankar Prasad, informed the Lok Sabha, quoting figures from the Indian cybersecurity watchdog Indian Computer Emergency Response Team (CERT-In), about the rise in reported cyberattacks in India over the last few years.13 ‘As per the information reported to and tracked by Indian Computer Emergency Response Team, a total no. of 44,679, 49,455 and 39,730 cyber security incidents were observed during the year 2014, 2015 and 2016 (till October) respectively.’ These are just the reported incidents, and the actual number of tech-related crimes could be far higher.
The other reality is an already overworked police force. The total sanctioned strength is at 2.2 million,14 however the actual number is believed to be much lower, of which 68 per cent works for more than eleven hours a day in harsh conditions.15 This has resulted in a massive service delivery issue in investigating these crimes. Cops in the cyber cells, which are understaffed, are overworked and just do not have the time to follow up on all the complaints they receive. Lack of enforcement only encourages more crime of the same type, which only underscores how the cybercrime-fighting machinery should be enhanced in the country.
* * *
The adoption of financial technology by consumers is underway at a breakneck speed in India. Technology has disrupted the financial industry for good, and the delivery of financial services through digital transactions is an irreversible direction that the country has embarked on.
In a speech in September 2016,16 S. S. Mundra, deputy governor of RBI, said:
. . . the share of electronic transactions in total transactions in volume terms has moved up to 84.4 per cent from 74.6 per cent in the previous year. Likewise, in value terms, their share has also inched up to 95.2 per cent from 94.6 per cent. NEFT (national electronic funds transfer) handled 1.2 billion transactions valued at around Rs 83 trillion (approximately $ 1.3 trillion), up from 928 million transactions for Rs 60 trillion (approximately $ 0.9 trillion) in the previous year.
It is on this backbone that the consumer-facing digitization of banking has been built in India. This, remember, was pre-demonetization, and the number of transactions enabled by the digital banking infrastructure would have spiked further after 8 November 2016.
In a massive effort that has been going on simultaneously, many millions of the unbanked are finally being brought into the banking system through schemes like Jan Dhan Yojana. As of July 2017, 29.18 crore people benefited from access to banking enabled by the Pradhan Mantri Jan Dhan Yojana, according to the numbers on the programme website.17 This is important, because according to KPMG, only around 53 per cent of India’s population had access to formal financial services.18
Unfortunately, there have been instances of Jan Dhan accounts being used for, what Mundra calls, ‘money muling’, where funds are transferred through such accounts without the knowledge of the customer by those trying to launder money. There have been several such instances where bank accounts of innocent victims were used to transfer money, which came to light only after the tax authorities, noticing unusually high activity in some accounts, flagged it.
Those who are new to banking, or haven’t been educated in safe banking practices in India, often fall victim to phishing episodes as well. There have been instances where people have been asked over the phone, or in some cases over email, for personal and banking information by criminals pretending to be bank officials. Despite banks communicating that such information shouldn’t be shared with anyone, many fall prey to these traps.
‘This episode,’ Mundra added, ‘highlights the failure of banks’ systems and processes for monitoring of accounts. The newly opened accounts under the PMJDY could be very vulnerable to such sharp practices and hence, banks need to clearly guard against them.’
According to Mundra, ‘Complaints related to unauthorized fund transfers, fraudulent withdrawals from ATMs using duplicate cards, phishing emails aimed at extracting personal information etc. have witnessed manifold increase in recent times.’19
Technology adoption in the Indian financial sector could undoubtedly do with a larger emphasis on financial tech literacy. One of the explanations given for the much-debated demonetization exercise in late 2016 was that such a move would trigger the mainstreaming of digital transactions and digital banking. Demonetization has triggered a definite increase in digital transactions, but the question to be asked is whether we have a population that is knowledgeable enough to be safe online.
The material showcased in the financial literacy section of the Jan Dhan Yojana deals more with financial inclusion and the importance of opening a bank account than with security. Posters, booklets and other collateral available on the website deal with communicating why banking is important and why those who don’t have bank accounts should open one. Unfortunately, there are only a few programmes that handhold users through the process as they grapple with the idea of card-based or mobile-based transactions. A KPMG survey in early 2017 found that ‘around 90 per cent of the people are unaware that the government runs a 24 x 7 TV channel DigiShala to guide people and help them adopt digital payment.’20
A strong grasp of how to use financial technology safely is not common currency; it is a flaw that could create hurdles in the push for a more digital India. The country is in a unique position when it comes to adoption of technology. A lot has been written about how India has skipped generations of technology—morphing into a mobile behemoth without having to first go through an era of landlines, for instance.
The country can do the same with financial empowerment and banking through technology if there are more robust checks and balances along with an educated population. Bringing more people into the banking system that is digitally powered is a great ideal to have, but it is also important to build awareness of the dangers awaiting them in that world.
* * *
There is much work to be done in further enhancing the payment security mechanism in India. This is all the more crucial, particularly as the country has embarked on the mobile-first Internet journey. With its large population increasingly adopting Internet, it is only a matter of time before India becomes an even juicier prey for the nastier elements on the Internet. As Gordon Gekko, the fictional banker essayed by Michael Douglas in the film Wall Street says, ‘Greed captures the essence of the evolutionary spirit.’
The mobile phone, being the central piece of the financial
inclusion jigsaw, can safely be assumed to be the target of this Darwinian greed in the days ahead. As KPMG points out,21 ‘smart phones have emerged as a preferred mode for carrying out digital payments since it enables communication—anytime, anywhere, provide applications for ease of access. While doing transactions/business is more convenient by the use of mobile devices, it also exposes individuals and organizations to cyber security risks such as online fraud, information theft, and malware or virus attacks.’
They point to three broad weaknesses. The first consists of the inadequate security measures housed within smartphones which ‘are normally not secured through various security tools—such anti-virus, anti-phishing, anti-malware, etc. This exposes the users to cyber security risks’. The second is the incidence of cracked or pirated applications installed on smartphones, which can ‘potentially access financially sensitive information and pass on to attackers’. The third is the vulnerability of the operating system itself, which ‘is extremely open, which supports collaboration but also exposes a large set of users to potential security issues’.
Similarly, there is an urgent need to update security protocols around mobile wallets and similar payment systems, according to Dharshan Shanthamurthy, founder and chief executive officer of SISA Information Security. He believes the regulators must take the initiative to ensure that the stringent standards that guide the payment card industry are tweaked and updated to suit these wallets and other non-card based payment systems first, and then enforce them on the newer products.
While wallet companies are adding users by the millions, Shanthamurthy also argues against what he calls the chasing of numbers—read users—by them and by the government too. According to him, these payment systems must be afforded the time to survive through the rigour of real-world security challenges. ‘That will ensure that we design securely before we scale up these systems. It is important to have them tested and stabilized before adding numbers, and unfortunately that is not happening,’ he says.
RBI, with its regulatory requirements like multi-factor authentication and transaction messages, can rightfully claim to have been ahead of the curve compared with central banks in many other countries. Unfortunately, unsavoury elements have found ways to manipulate the two-factor authentication. Instances of SIM cloning, for instance, have been reported from various parts of the country.22 This, coupled with the existence of applications that have access to messages, does prompt a need to enhance multi-factor authentication.
When it comes to transacting safely in the digital future, there are some principles that users must adhere to, and there are also elements of the transaction chain that should be taken care of by the financial services ecosystem. Unsavoury incidents will only mess up the trust of the general public in the newer directions taken by the financial services and banking industry. Trust, after all, has been the bedrock of banking, and any incident that creates a deficit of it will come back to bite the industry.
To avoid that, it is only right for financial security professionals to imagine and prepare for the worst, however unlikely it may be. As Shanthamurthy points out, ‘Paranoia is important for security. If you are not paranoid, you’re not doing your job.’
CHAPTER 5
THE WEAKEST LINK
The People Problem in Data Theft
Brijesh Agrawal was furious.
The wiry forty-year-old’s greying mane normally kept him from looking younger than his years. On this muggy afternoon in early August 2016, at his business-to-business e-commerce company Tolexo’s office in Noida, his furrowed brow added to the years.
His office overlooked the fast-changing landscape along the highway that connected Noida to Greater Noida. Where there were once agricultural fields as far as the eyes could see, were now buildings stuck in skeletal stages of construction. With the state of the economy just not robust enough to spur demand, work on many of these tall buildings had stalled. All that was left standing were forlorn ghost structures waiting for the next infusion of funds.
Unlike the half-built complexes in the vicinity, which can be completed in a healthier economy, online businesses as young as Tolexo don’t have the cushion of second chances. This is especially true when they are faced with daunting crisis. Agrawal’s company, Tolexo, had been trying to crack one of the biggest and yet untapped opportunities in India—organizing India’s business-to-business buying online. But the news that he had heard from his team that afternoon could become more than a prickly thorn in his entrepreneurial journey. It could stall the plans of the young start-up and hurt its credibility.
Agrawal’s customer service team had just reported to him the possibility of a leak of customer data from their systems. Worse still, someone seemed to be using the data to defraud their customers. The customer service representatives were getting calls from users about orders that were placed and never delivered. The representatives had looked up these ‘orders’ but found that the database held no record of them. When the agents probed the customers further, they were told that the orders were placed over the phone following a call from Tolexo, mere moments after their browsing the website.
What was spooky was that while the customers going through this trouble were few in number—about twenty-five—they had all received such a call at the same stage of their customer journey. They had added products to their cart but hadn’t followed through with the payment to complete their order; while at this stage, in a matter of minutes, they had received calls on their mobiles from someone claiming to be from Tolexo.
These callers had offered the customers extra discounts to complete the transaction that the customers had left midway. The one condition was that the money had to be transferred at the earliest, and into a bank account number that was provided. The discounts that were dangled at the customers were significant, sometimes as much as 50 per cent. So it wasn’t surprising that a few of the customers took the bait and transferred the money immediately.
Prima facie, it did smell of a scam, and the customers who transferred money should have been a little more careful, but it is understandable that they transacted as they were advised. It wasn’t beyond the realm of possibility that e-commerce companies were dangling attractive carrots at them. There has been a steady offer of discounts from e-commerce players, and to customers who were getting the calls from the fraudsters, it would have seemed like Tolexo was doing the same.
For the customer service reps from Tolexo, it was easy to look up and confirm if these calls were indeed made from their office. There were no records. What was obvious was that someone impersonating Tolexo’s customer service was using their customer data to kick off the fraud.
The whole thing came to their notice only when customers who had paid up grew queasy after a few days when the items they thought they had placed orders for were not delivered. That was when they contacted Tolexo to complain, and that was when they found that they may have been duped.
Such instances were rare, but for the victims, Tolexo and Agrawal, rare was one too many. What was clear was that there was someone who had access to Tolexo’s customer data in real time and that this data was becoming ammunition for fraud. Innocent customers were being swindled of their money by those who stole the data. If not nipped in the bud, this breach could lead to the loss of trust that made bigger companies go belly up, let alone a start-up still trying to find its feet and establish a new category of service.
* * *
Agrawal was used to the challenges that running a new-age Internet business threw up. He had embarked on the Tolexo journey on the back of a substantial legacy of having run one among a handful of Indian Internet businesses to have survived the dotcom bust in the early 2000s.
In April 1996, just about eight months after India’s first Internet connection was established, Brijesh Agrawal and his older brother, Dinesh Agrawal, jumped on to the Internet bandwagon with Indiamart, a business listings website. Before the advent of Indiamart, many companies, especially those of sma
ll and medium size, had extremely limited visibility of the options they had when they went out to source materials or find customers beyond their immediate networks. To source or to find customers, they often had to go through levels of middlemen, and that added avoidable costs to the entire value chain, not to mention the inherent inefficiency of such a situation.
The Agrawals, who are originally from Nanpara, a relatively small town of 50,000 a few kilometres from India’s international border with Nepal in Uttar Pradesh, belonged to a traditionally entrepreneurial community. They spotted the opportunity to solve a real issue for businesses and evolved Indiamart into a platform which connected buyers and sellers in the B2B segment. It started out as an online directory.
It was a long and hard grind to bring customers on board. People had to be convinced of the merits of this new yet unknown beast called the Internet. The Agrawals went around the country meeting people, trying to convince them that paying to be listed on Indiamart was a way to grow their business. They did meet with resistance, but for many who did convert, Indiamart would become something of an essential resource to grow their business.
The shift that Indiamart enabled started bringing something resembling order into the fragmented ocean that was the business-to-business marketplace in India. But growth was slow, and it was soon to become a whole lot tougher. While the Agrawals were taking baby steps into the World Wide Web, there were many others in the Indian business landscape who too were enamoured by the opportunities made possible by the Internet. The Internet had already produced million-dollar businesses in the United States, and the general consensus seemed to be that India too was going to follow down that path. The country was still fresh from being untethered by liberalization in 1991, and the buzz was that whatever had already happened in the West would happen in India too.