On 8th November, Prime Minister Modi spearheaded a surgical strike on black money when he stripped the legal tender status from 500 and 1000 rupee notes. This abrupt, sudden move that was being planned since last six months but known only to select few invoked a wave of jubilation among the Indian citizens but also sent jitters down the spine of black money holders leaving them perplexed, bewildered and flummoxed.
Demonetization of Indian currency along with the restrictions imposed on the withdrawal of money from the ATMs also signals that government is serious about transforming India into a cashless economy. The goal of cashless economy is a welcome step because all transactions will be accounted for but the question that begets serious attention especially in the background of recent happenings is “Is India prepared for a paperless economy?”
Twenty days before the PM Modi’s announcement, the news broke out that hackers had stolen millions of debit cards by breaching and planting a malware into the ATM network of Hitachi Payment Services. This news was followed by SBI blocking 6,00,000 debit cards. The attack on Indian ATM networks cannot be seen in insolation.
In 2015, Regional Advanced Threat Report for Asia Pacific, released by the security giant FireEye, found that 38% of organizations in India were vulnerable to targeted advanced persistent attacks. India is inviting increasing focus from hackers because of the ambitious projects like Digital India that intends to place sensitive personal information over the digital networks.
Further, India has been ranked fourth in Asia-Pacific countries that have the most command and control infection call backs which indicated the presence of compromised systems that are already communicating with remote servers run by hackers.
Now, with demonetization, additional money flow is being directed over the internet through digital transaction. This is a gold mine for hackers who are bound to be attracted towards India thus increasing the risk of more people losing their money through Point of Sale (POS) and digital wallet breaches as well as fraud and scams.
The problem does not lie in the intention of going paperless but the fact that we are going paperless without adequate preparations. Even though cyber security is seen as the biggest risk faced by financial systems, very little investment has been done to guard against future attacks
The ATMs are still running on the archaic and obsolete Windows XP operating system, vulnerabilities of which can be easily exploited by installing malware because the OS is no longer supported by Microsoft. To avoid another big debit card breach, banks should switch to better ATMs with stronger security infrastructure and controls.
The education system in India does not offer programs or courses on cyber security. Despite being the IT giant, not much focus has been given to cyber security yet. India, like other countries, needs to develop an indigenous next generation cyber workforce and groom them by offering formal education on cyber security in high school and undergrad programs.
Except by some large banks, no information sharing is being done among the government agencies and private sector companies. To protect India’s financial eco-system, financial institutions in India should partner with existing global information sharing centers like FSISAC and government should invest in building a Joint Cyber Information Sharing Center to provide accurate and fast communication of cyber threats to the banks. The information sharing program should adopt a common language like STIX and sharing method like TAXII to allow automated cyber threat information to be shared across organizations. Our adversaries are good at information sharing, and to stay ahead, we need to be far better and efficient than them.
India lacks a national level cyber strategy, which is critical for today and strong economy in the future. Some initial work has been done by the government by establishing Indian Cyber Crime Coordination Centre (IC4) or by signing packs with foreign countries like USA and UK, but the big-picture national level cyber priorities are still missing. The administration should develop a national “cybersecurity action plan” with a long-term strategy and specific goals to enhance cybersecurity awareness and protection.
Investment in cyber security is not seen as a priority by most of the private sector companies. The government can generate interest among private player by offering incentives to improve their security posture. The incentives could be given in form of tax credits for adopting cyber practices, training of security analysts, and funding towards research and development projects.
Several organizations with significant IT profile still do not have Chief Information Security Officers (CISOs). Also there are no guidelines for businesses to get cyber security reviews done by independent second line or even report data breaches. More compliance does not equal better security, but voluntary risk-based standards like NIST Cyber Security Framework are needed to provide common language to manage cyber risk and enhance their cyber readiness without placing additional regulatory requirements on the organizations.
The recent Tesco Bank (UK) hack shows that attackers go after assets that can be easily monetized and often follow the path of least resistance. Arriving at better security starts with being more resilient to cyber compromise. To achieve that, Banks need to deploy a multi-layered balanced technology, process, and people approach and develop a strategy that encompasses prevention, detection, and response.
Above all, the risk of cyber frauds in India is further compounded by the lack of cyber awareness. Roughly 70% of the population resides in rural areas that lacks cyber literacy and awareness. Even the urban areas don’t fare much better. Although many banks have implemented two-factor authentication but fraudsters can still dupe people through techniques like IVR phishing, scam calls, and spearphishing. Government and financial institutions should invest in continuous consumer awareness on securing their internet banking and mobile transactions, and ensure that consumers are aware of new fraud methods.
Most of these challenges are not unique to India only but as India rapidly moves into the digital payment 2.0 era, it is going to face a new set of problems not faced by any other country. Cyber security is one such dimension for which India needs to prepare well and in advance.
India needs to go cashless for curbing black money but also needs to put in adequate cyber security measures for preventing cashless economy going moneyless and for that PM Modi needs to initiate not a surgical but a pre-emptive strike against cyber threats.
(Disclaimer: This is a guest post submitted on Techstory by the mentioned authors. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.)
Image Source: lifars.com
About The Author:
Anuj Goel is the co-founder of Cyware; a cybersecurity platform with a mission of enhancing cyber awareness and real-time sharing of intelligence and incidents to enable proactive identification and mitigation of threats. Previously, Anuj worked at Citigroup in New York as the head of global strategy and planning covering information security and anti-money laundering. Anuj is a Senior Member of the IEEE and has served as an executive committee member of the Financial Services Sector Coordinating Council (FSSCC). He holds a doctoral degree in Engineering and has earned several globally recognized cybersecurity certifications.