India sees large rise in cybercrime: ASSOCHAM-PwC study

The Indian Computer Emergency Response Team (CERT-In) has reported a surge in the number of incidents till October 2016 with close to 39,730 security incidents, noted the study titled ‘Securing the cashless economy,’ conducted by The Associated Chambers of Commerce and Industry of India (ASSOCHAM) jointly with PwC released at the ASSOCHAM Workshop on “Securing the Cashless Economy” here today.

With more time to detect and time to respond to these attacks, the return on investments for cyberattacks is greater in emerging markets like India as compared to developed markets like the US, noted the study.

Demonetisation has given an impetus to e-wallet services. Mobile wallets have witnessed a massive rise in app downloads. With programmes for financial inclusion, digitisation of the economy and increased use of smartphones, online transactions are already quite popular among the urban Indian population. The result has been that leading mobile wallets have witnessed growth of upwards of 100% in app download numbers and have similarly seen an increase of upwards of 400% increase in wallet recharges, pointed out the joint study.

This smartphone revolution has led to the emergence of e-commerce, m-commerce and other services, including app-based cab aggregators, who encourage digital payments for use of various services. The value added services such as cash back, bill payment facilities, loyalty points, rewards and ease of use have promoted increased usage of such digital platforms.

As the country is experiencing a digital revolution, the impact of this transformation makes it imperative for financial service players to revisit their cyber security resilience. The number of incidents occurring in banking systems has increased in the last five years. In the month of October 2016, an ATM card hack hit Indian banks, affecting around 3.2 million debit cards.  Hence, efforts are needed to enhance cyber security as businesses and citizens embrace this new digital wave, noted the study.

Addressing ASSOCHAM Masterclass Workshop “Securing the Cashless Economy”, Mr Sanjay Sahay, ADGP, Police Computer Wing, Bangalore, Karnataka said we should have our own standards & protocol and operating system.  The types of cyber security incidents such as phishing, scanning, website intrusions and defacements, virus code and denial of service attacks will continue to grow, highlighted the study.

Dr. Ajeet Bajpai, Director General, National Critical Information Infrastructure Protection Centre, NTRO said that post demonetisation banking and financial sector has become the most critical. He also said that earlier (cyber) threats were of nuisance value, now they are disruptive and may become destructive.

While addressing the workshop organised by ASSOCHAM, Dr. Ajeet Bajpai said ‘why should a banking app want to access your camera and audio of your phone?’ He further said that the biometric solutions may actually be more compromising.  Dr. Bajpai said, ‘we need to create transactional literacy’.

More intelligent transaction monitoring will have to be carried out as part of continuous surveillance. Crisis response and recovery strategies will have to step up along with the increased digital footprint. Security awareness of all the stakeholders will be a vital pillar of a secure cashless society, adds the study.

Security assessment and testing will need to be embedded into the agile development life cycle. Agile security testing methods based on automation will have to be adopted. In many ways driving, a paradigm shift is needed in the way security testing is undertaken today.

The new era will call for hyper-interoperability across different value chain players. In order to enable this, each ecosystem player will need to create multiple application programing interfaces (APIs). While this will deliver a seamless experience to customer, there is also a risk of malware injection through such APIs. With faster proliferation of interfaces, protecting APIs will become critical to ensure malware and persistent threats do not propagate through such untrusted/ untested APIs.

In the new cashless world, frauds will be driven mainly by impersonation and will become a daily affair. Accordingly, the need for stronger authentication of transactions will gain significance. The current techniques of authentication based on location and timing will no longer be adequate. Adaptive authentication will need to be embedded into the heart of transaction processing.

Protecting context-rich personally dentifiable information (PII); Both regulators and organisations will be obligated to invest in strong processes and technology to prevent the misuse of context-driven rich PII. While traditional controls such as data masking and encryption will need to be enhanced, capabilities to hunt down any misuse of PII will have to be built by organisations.

In the new digital/ cashless economy, mobility-based solutions will continue to gain prominence and, hence, security concerns will no longer be limited to the organisation architecture boundaries. In order to ensure endpoint security containerised apps with built-in advanced persistent threat (APT) capabilities will have to be developed. Controls for in memory data and additional controls like device certification will be considered. To ensure security of data in endpoints, there may be a requirement for guidelines to define the kind of sensitive data that end devices retain. Hence, the next generation financial infrastructure may involve the adoption of advanced end-user device management solutions.

As the ecosystem continues to be interconnected and overlapping, cybercriminals will try to exploit possible lapses and, hence, strategies need to be built to deal with such eventualities. Given this interdependence on the all the players of the financial ecosystem, it becomes crucial to identify any anomaly at a pace which mirrors real time or near real time.

The security boundaries of the various players will be extended to end users, third parties and other ecosystem partners. Security controls will no longer be defined in contracts limited to uptime and resolution of vulnerabilities, but will actually be embedded in the partner ecosystem. The process for monitoring of parameters will also have to be integrated with the company’s incident response framework.

The awareness theme for tomorrow will thus be multichannel, multilingual and multicultural, and hence go beyond the scope of traditional programmes. Regulators may have to start thinking across industries and develop an awareness programme that addresses this need.