Planning to go cashless? Beware of cyber criminals who are tracking your every step
With the growing usage of payment wallets, there is a high possibility of malicious apps now tracking that growth and trying to steal from them, without the user being aware of it.
The vision of making India a cashless economy may not be a distant dream if we pledge to build a robust security infrastructure ensuring seamless transactions. Simultaneously, we cannot overlook the potential of fraudsters intruding into the system using sophisticated hacking tools.
A case in point is the recent attack on UPI (United Payments Interface), the flagship product of the NPCI (National Payments Corporation of India). Tech-savvy fraudsters walked off with Rs 25 crore from Bank of Maharashtra owing to a bug in the UPI app.
However, the NPCI in a report clarified that Bank of Maharashtra had actually procured a UPI solution from a vendor, which had the bug that caused the unauthorised transactions.
AP Hota, MD and CEO of the NPCI, told YourStory,
“I would like to reiterate that the UPI system at NPCI is robust, and that there should be no concern on security. We would like the membership of UPI to grow from 44 percent at present to about 75 percent in six to seven months. We would also like to see more and more merchants adopting UPI for immediate ‘collect’. The current level of only 15 percent merchant-related transactions has to go up to 50 percent.”
The NPCI, in a move to combat cybercrimes, has implemented the Fraud Risk Monitoring and Management solution (FRM), a real-time tool for fraud detection and prevention. This solution will be leveraged to monitor all the transactions via NPCI for online products.
A European cyber-security company, F-Secure, has warned that in the wake of demonetisation, India is expected to be a key target for point-of-sale (POS) and banking malware, especially for mobile wallets, in 2017. The latest report, titled ‘Threat Landscape India 2016 & Beyond’, further shows that Android-based smartphones have been facing the maximum number of cyber-attacks since the 8 November 2016 demonetisation decision of the government.
Reaching out to a couple of cyber-security experts, YourStory gained an overview of the current cyber-security scenario in India, as well as some insight into the latest trends.
Internet of Things
It is important for retailers to develop an overall infrastructure policy on IoT devices, and address potential security issues for new devices even before problems arise.
It is a strain of malware that prevents users from accessing their systems by locking down screens or files until a ransom is paid. More advanced crypto-ransomware that essentially scrambles files and renders them unreadable without a decryption key has become increasingly prevalent in recent years, especially among cybercriminals targeting enterprises.
Varying channels of attack
The increasing adoption rate of EMV (Europay, Mastercard and Visa), chip-enabled point-of-sale systems and widespread implementation of the Payment Card Industry Data Security Standard (PCI-DSS) checklist has caused a series of retail customer data breaches. While direct attacks on entry points such as PoS systems may see a fall, cybercriminals could instead turn their attention to other vulnerabilities such as gaining access to company systems via supplier/vendor credentials or through unsecured IoT devices.
Contactless cards operate using NFC (a sort of RFID-based technology). A card integrates a chip and an antenna, which respond to the POS terminal’s request using a 13.56 MHz frequency range. Different payment systems use their own standards, like Visa PayWave, MasterCard PayPass, and American Express ExpressPay. But all of them still employ the same approach and the same core technology.
The majority of today’s smartphones are equipped with an NFC module. Apparently, smartphones are frequently located in close proximity to a wallet. Once the compromised smartphone is placed close to a contactless card, it signals the possibility to perform a transaction to attackers. Scammers then activate a regular POS terminal, and place their NFC-enabled smartphone close to the terminal. Thus, a ‘bridge’ over the internet is built between an NFC card and an NFC terminal, regardless of the reach.
“Retail space or the consumerisation of technology has given rise to mobile payment wallets, creating financial freedom for users from physical currency. Similarly, the ease of Wi-Fi access from public Wi-Fi and increased data speeds has made people use social and digital media more lavishly, but less protectively. These behavioural changes also result in a sharp rise in ransomware attacks on individual users for financial gains, by holding their valuable personal data to ransom with crypto wares, apart from the increased threat of stealing personal data in motion from users at public or unsecure Wi-Fi networks,” says Govind Rammurthy, MD and CEO, eScan.
Critical issues hurting online and offline retailers
Security experts say that many of the digital wallets are put through rigorous tests and checks before being made available to users. But there is no such thing as a 100 percent guarantee, given the rise in the number of lookalike apps, which are really malicious in nature. Kaspersky Lab had released one of the earliest means of detection of stealing from e-wallets.
Verification of the source before downloading the app is a very good way to prevent attackers from intruding into the smartphone. Moreover, giving away all the permissions to the app may put the credentials of the users in the hands of fraudsters. Installation of a good mobile security solution on smartphones and tablets is strongly recommended.
Govind emphasises that with the growing usage of payment wallets, there is a high possibility that malicious apps are now tracking that growth and trying to steal from them without the user being aware of it. At the same time, QR code misuse or phishing could lead to unsuspecting users losing their life savings.
The spurt in digital payments, especially after demonetisation, threw light on many areas of concern. Amidst the flurry of digitalisation, we tend to be virtually connected to internet on-the-go and often end up using public WiFi connections, which are vulnerable and susceptible to hacking by cyber criminals.
Are PoS devices vulnerable to cyber criminals?
Today, PoS systems are not only used for payment purposes, but they also provide other operational information such as accounting, sales tracking, and inventory management. What poses a threat here is the misuse of data by cyber criminals through providing of personal information while accepting payments.
Altaf Halde, Managing Director, Kaspersky Lab (South Asia), highlights that cyber criminals use key loggers, memory dumpers, network sniffers, and verified personal data collection. The need of the hour is the updation of outdated systems, default deny options on the device, and the installation of an anti-virus.
Last but not the least, how can we forget QR codes, which are today used everywhere, including on the pages of magazines, signboards, and online portals. Post-demonetisation, wallet companies were seen betting big on the offline QR cards for merchants to increase their offline presence. Sensing the significance of QR codes in the retail sector, the NPCI, along with card network companies MasterCard and Visa, launched the Bharat QR as well. This will involve every merchant in the country having a unique QR code, allowing users with debit or credit cards to pay directly from their phone, through just a scan.
On how vulnerable QR codes are against cyber criminals, Govind says the dangers of using a QR code are that you could be directed to a phishing website that may ask for your personal information. It may also redirect you to dangerous sites that contain Trojan Horse or even introduce ransomware to infect your device. Being aware of the ill-effects of transactions using QR codes is important.
Analysts say that one good way for businesses to start addressing their security concerns is by assessing their own prevention posture, which allows them to get a clearer picture of where they should channel resources and expertise to address key vulnerabilities.
Attacks on PoS systems have been growing over the past few years, with new breaches such as Code Red, SQL, and Slammer moving in, affecting both small retail shops, large hotel, and restaurant chains. According to the Verizon Data Breach Investigation report 2016, 525 PoS breaches disclosed data in 2015 alone.
Why do POS breaches remain an extremely lucrative endeavour for cyber criminals? Altaf says that the primary motivator for cyber criminals is often profit. The physical point-of-sale contains the all-important information found on the magnetic strip of a credit card, meaning it can be cloned and used for fraudulent purchases.
“Indians also perceive non-cash transactions to be inherently insecure and proper education and awareness is needed for the entire ecosystem to move forward. We at RupeePower endeavour to provide a digitisation solution that is secure, transparent, and easy, simplifying the credit decision-making process so much that it is just second nature to implement it,” says Tejasvi Mohanram, Founder and CEO, RupeePower.
Employee training, password maintenance, lock-down connections, limited physical access, updation of the operating system of each machine, installation of PoS security software, encryption, and backup are the crucial factors, according to Altaf, to ensure the security of the seamless transactions in the retail space.
Employees should be trained on how not to fall into the trap of spam calls asking for passwords and to not casually click on social media links and email attachments in the workplace, especially on any POS-equipped machines. Once the PoS system is installed, the default password should be changed, and each employee should have their own login to the machine. Wi-Fi systems on which the PoS machine is connected need to be password-protected and contain firewalls.
To safeguard businesses from the tricks of POS fraudsters, Kaspersky Lab has introduced Kaspersky Embedded Systems Security–a solution designed to protect payment card systems. With Kaspersky Small Office Security, business owners can prevent employees from visiting certain types of websites (e.g., social media) and from downloading programs.
For businesses in retail, having a good understanding of their prevention readiness with regards to endpoint security is particularly important, given the large number of user interactions. They should take note to prevent exploits, update outdated operating systems and servers, and ensure that they have sandboxing and anti-malware technologies available. Businesses should also take note to adhere to existing data security standards such as the PCI-DSS and ISO 27001,” says Mark McLaughlin, Chairman and CEO at Palo Alto Networks.