With the rapid development of information technology, ubiquitous mobile phones, and the impact of demonetisation, India has experienced a significant surge in the number of electronic transactions being made through mobile payment apps and services.
However, around the world, the spread of electronic banking has resulted in thousands of cybercrimes and monetary thefts by cybercriminals. Security risks associated with electronic transactions through mobile payments are high due to technological and other reasons.
The study
A study conducted by the Centre for Software and IT Management (CSITM) at Indian Institute of Management, Bangalore, focuses on the risks associated with Indian mobile phone-based payment systems.
“We conducted experiments with five popular mobile payment systems, in four broad categories — wallets (Paytm, FreeCharge), direct link with user’s bank (BHIM), bank’s app for account holders (iMobile by ICICI Bank), and basic USSD service (dialing *99#),” said Prof Rahul De, chairperson of CSITM, and faculty in the Decision Sciences and Information Systems area at IIM-B.
He explained that the study evaluated the apps on the following six key security principles (combining Basel Committee’s ‘Risk Management Principles for Electronic Banking’ and RBI norms for electronic banking transactions):
~ The potential for confidentiality breaches.
~ Management of transactions for subsequent repudiation.
~ Strength of the authentication process.
~ The data and transaction integrity procedures.
~ The extent of access and availability of services.
~ The procedures for maintaining privacy of customer information.
According to Prof De, the study found serious privacy concerns with all the services studied. For instance, while many apps like Freecharge are not directly linked to third party vendors (such as Uber or BigBasket), those such as PayTM allow for automatic linkage. These vendors, then, can automatically deduct amounts without the user’s explicit consent. Potential for confidentiality breaches was a problem observed in all mobile payment methods, except USSD.
A recurring security concern was that many of the apps (such as PayTM and Freecharge) do not automatically log the users out. Which means anyone having access to the phone can make financial transactions through them. This risk is highest if the user loses or misplaces her/his mobile phone, and higher still if the phone is unlocked or unprotected. However, apps such as iMobile, BHIM have auto-logout/ session time-out features.
“We also observed inadequate transactions management and no evidence of systematic analysis of transaction patterns. The lack of these features are a potential security violation.
“However, even while we were conducting the study, we observed that the features of these apps and services were constantly evolving and changing. Hence, we add the caveat that the evaluation of the apps in this report is as observed during our study conducted between December 16 to January 17, and it is likely that some of the concerns presented in this report have been addressed, and perhaps, new concerns have emerged,” Prof De emphasised.
To read the detailed report, click here .