" />
Friday, July 28, 2017

E-wallets huddle up to offer secure systems for consumers


Digital transactions through e-wallets are rapidly increasing and so does the risk of frauds.

Due to this sudden rise and lack of security, users are concerned about usage and security of their money in e-wallets.

Safeguarding the money of the consumers from any risk if the phone is lost, e-wallet giants introduced various protection plan to ensure money in the e-wallet remains safe.

Paytm has introduced ‘app password’ feature that will enable users to secure their e-wallet through password, pin, pattern or fingerprint. Currently, the feature is available for android app only.

The feature will allow users select desired security password by going using the ‘security’ option in the ‘setting’ menu. Same password will be used to access the app and each time before completing any transaction.

“The security of our customer’s money is of utmost importance to us. The launch of the new App Password feature is yet another step in that direction as your Paytm wallet is protected even if you lose or misplace your phone. This will not only offer greater peace of mind to our 164 million strong user-base, but also serve as a showcase of our unmatched commitment to our customers.” said Paytm’s Deepak Abbot.

On the other hand FreeCharge partnered with Reliance General Insurance Company Limited to provide wallet insurance free of cost to all its users. The underlying wallet balance of all the customers will be insured up to a limit of Rs 20,000, as long as the user is transacting at least once a month.

In case the phone is lost or theft the customer needs to file an FIR under 24 hours and needs to report the same to FreeCharge through e-mail or calling customer care.

To keep the consumer money safe at all the times, the company operates an in-house fraud & risk management system.

Commenting on the development FreeCharge’s CEO Govind Rajan said, “We have realised that consumer perception of wallet safety is critical to drive both adoption and retention of our customers and hence we are offering this plan to our consumers free of cost. FreeCharge is faster, convenient and more efficient than cash and now much safer too. We believe this is another step to help realise the vision of a less cash India.”

“What we are witnessing is a digital revolution of sorts with an ever increasing focus on digital payment instruments. In keeping with the times, an insurance product around the same was both needed and logical. Through our partnership with FreeCharge, we are taking a step in that direction and hope to play our part in the country’s vision of going cashless,” added Reliance General Insurance‘s Rakesh Jain.

According to a report by chipset maker Qualcomm e-wallets and mobile banking apps in India are not using hardware level security which can make online transactions more secure.

Cyber Security In India – To Breach Or Not To Breach !


India suffered its largest data breach last month that was exposed to public only on October 19th when State Bank of India (SBI) blocked 0.6 million debit cards. Later, the news broke that about 3.2 million debit cards across major banks that include ICICI, HDFC, AXIS and YES bank had been potentially breached by hackers.

The breach had occurred at the ATM machines serviced by the Hitachi Payment Services. As per media sources the breach happened because the respective ATM machines were infected by a malware. Who did this? Nobody knows as of now! But there are many who have reported unauthorized transactions from their accounts that have been traced to foreign countries.

A forensic investigation of the breach is underway and the details will be known only when the report is issued. Whether we (public) will come to know of the details of the breach will depend on the magnanimity of the government and the banks. This is because there is no breach disclosure law in India that mandates the banks to wilfully disclose information concerning all breaches, although the day is not far when such legislation will be enacted as it has become a norm in most cyber aware countries.

However, one learning that we need to take from this breach that neither government nor banks would share is that India would continue to be targeted by the hackers and the attacks are only going to increase and become more sophisticated in future. This is because the rise of digital economy is not serendipitous but rather an anticipated outcome of human advancement in science and technology.

Related Read: Startups That Bet Big On the Fintech Space!

A particular aspect of this change is the increasing number of cashless transactions that are taking place in Indian payment eco-system. People now like to purchase things from e-commerce websites, like to pay their bills online, carry debit/credit cards instead of cash; and as the dependency on technology advances, the cyber crime will also advance; become more frequent, complex and sophisticated.

There is little doubt that the life of an average consumer has become easy owing to the cashless services but what’s ignored by the banks and the consumers themselves is the negative fallout of a cashless economy. The financial institutions invest less on security of their assets and information than they spend getting more business to achieve the annual targets.

Similarly, the average consumer is hardly aware of the number of ways he/she can be scammed or robbed of his/her sensitive financial data, which in turn is used for stealing his/her identity or making fraudulent transactions. Even the banking staff is mostly unaware of the basic security threats and risk mitigation strategies they need to follow.

The primary reason behind such a state of security infrastructure of Indian financial system is the lack of cyber awareness and information sharing. The private sector is nowhere close to where it should be in cybersecurity because except by a very small number of banks, no information sharing is being done among the public and private sectors.

Related Read: How To Avoid Mr. Robot? Ways To Firewall Yourself From The Hack !

At the same time, the threat landscape is continuing to evolve with recent DDoS attacks on western networks, and spear phishing campaigns weaponized to deliver credential stealing malware, destructive malware and ransomware. Although Indian companies have not experienced it closely, in the past decade or so, the damage caused by cyber attacks has grown from brand reputations and account takeovers to brining down critical infrastructure to its knees.

As India marches on the path of development, it will face new challenges related to securing its infrastructure. The ask is simple – in such a high-risk environment, security teams need to be proactive.

It can be done by investing in information sharing and joining networks like Financial Services Information Sharing and Analysis Center (FS-ISAC) to share threat and vulnerability information with peer banks, conduct contingency planning exercises, and enhance collaboration among other banks and with other critical sectors, like telecommunication, power, and transportation, who financial sector depends on to run its operations.

Finally, situational awareness is the factor that is indispensable to resilience of the banking and payment eco-system. There is a growing consensus on making “cyber situational awareness” a sine qua non force for combating cybercrime.

In simple words it means empowering bank employees with events in cyberspace so that they can identify and detect the signs of cybercrime in real time and take effective steps to prevent, respond and contain it. Unless, these loose ends are fixed, the adversaries would continue to have a field day in breaching banks and stealing sensitive information.

(Disclaimer: This is a guest post submitted on Techstory by the mentioned authors. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.)

About The Author:

Anuj Goelanuj-goel is the co-founder of Cyware; a cybersecurity awareness platform with a mission of enhancing security culture by strengthening situational awareness and building a common, shared knowledge of cyber threats. Previously, Anuj worked at Citigroup in New York as the head of global strategy and planning covering information security and anti-money laundering. Anuj has several awards and accolades to his credit including Citi Dazzle Award in 2012 & 2014. He is a Senior Member of the IEEE and the Sigma Xi. He also served as an executive committee member of the Financial Services Sector Coordinating Council and has been cited in Who’s Who in Science and Engineering.

Sebi to beef up cyber security framework for markets


MUMBAI: To protect securities markets from cyber threats, regulator Sebi is looking to further beef up its policy framework on this front and plans to appoint a chief IT security officer to head these initiatives.

While Sebi has already asked stock exchanges and other market entities to put in place necessary framework to safeguard their systems, networks and databases from cyber attacks, the regulator is now looking at ways to further strengthen these mechanisms, a senior official said.

Sebi will appoint a Chief Information Technology Security Officer, who will be responsible for strengthening its regulatory policy framework in the area of cyber security.

The Officer would oversee implementation of these regulatory policies across security markets and also help enhance capacity building at Sebi and various market participants with respect to cyber security.

Sebi would also develop stress testing mechanism to mitigate risk arising out of cyber-attacks, while necessary framework would be put in place for taking corrective measures and prudent response in case of cyber attacks at the regulator or market participants.

Sebi has invited applications from eligible persons for the post of Chief IT Security Officer, who will need at least 10 years of experience in IT industry, preferably in cyber security and IT systems audit, and a minimum five years as head of a large unit of an IT company or IT unit of a bank, financial institution or market infrastructure institution.

The Officer would also observe developments in cyber technology and security space and prepare inputs for regulatory policy development.

In a recent interaction, Sebi Chairman U K Sinha raised concerns about growing cyber security threat for markets.

“We have some guidelines in place but there is a need to revamp them. We are working with experts to address the gaps and appropriate action would be taken soon.

“There are some government agencies also looking into the aspects of cyber security from the perspective of national security and they have also given us some inputs,” he said.

Earlier, Sinha had said cyber attacks are now occurring in a more sophisticated manner, while he had also raised concerns about state-sponsored cyber attacks from abroad.

“We are worried over state-sponsored cyber attacks. There are worries that the vulnerability in markets are increasing. We need to create a framework for future plan of action on securities market resilience,” he had said.

Last year, Sebi had asked all exchanges, clearing corporations and depositories to put in place a robust cyber security framework for systemically critical functions of trading, clearing and settlement in securities market.

Sebi has also asked Market Infrastructure Institutions (MIIs) to restrict access controls, whenever necessary. “No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities.

“MIIs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users),” Sebi said.

Data of 10 banks hacked from National Payment Commission of India


The data of 10 banks has been hacked from National Payment Commission of India (NPCI), sources told dna. People have complained that money has been withdrawn from their bank accounts.

However, NPCI boss AP Hota told dna this was not true. He said, “Not correct. We gather that compromise has happened at a few ATMs of a bank in private sector. But the bank is yet to confirm. Our Risk Head is in touch with the bank.”

Cybercriminals yet to figure how to make money from IoT: Raimund Genes


Raimund Genes, chief technology officer at security software firm Trend Micro Inc., has held several executive positions at the company, prior to which he worked in the German air force for 12 years in radar guidance and aircraft tracking.

In an interview in Mumbai, Genes spoke about cybersecurity trends in the digital world, and how his team is working to protect users and companies from these threats. Edited excerpts:

Can we really compute the cost of cybercrime?

We at Trend Micro don’t compute the cost of cybercrime, and all assumptions and statistics about the cost of cybercrime being floated around are simply estimates. We have been in this security business for 27 years and we don’t feel the need to scare people with these figures (Intel Corp.’s security arm McAfee pegs the likely annual cost to the global economy from cybercrime at more than $400 billion.)

I could tell you the exact cost of a piece of malware but when it comes to the total cost of cybercrime, all I can say is that cybercriminals make more than drug traders, and the risk of them being caught is much lower than that of a drug trader because cybercrime is international and does not know any borders.

How much of a risk does India face, especially from ransomware that tops the cybercrime list in developed countries?

The risk in India is much lower than in other countries, at least as of now. But the attacker would not necessarily be from India. He or she could be from Eastern Europe, where many attackers are from.

Globally, ransomware appears on the top of the list because it is so visible—cybercriminals want you to see their message on your devices to scare you so that you pay the ransom. On the other hand, other malware like keyloggers, which sit on your computer silently but steal vital information like your PIN numbers, can go undetected for even six months and more.

Ransomware is in your face. In terms of malware distribution, ransomware is definitely on the top of the list in the US, and in parts of Europe where keyloggers, remote access Trojans (RATs), etc., make up for the rest of the malware. In Japan, ransomware is typically low. In parts of Asia, it is high. But in India, ransomware is low on the list.

In India, cybercriminals typically use keyloggers, RATs that try to siphon off credit card and other financial information from your computer.

Why is ransomware low in India?

Cybercriminals typically seek return on investment (ROI) from their crimes. Hence, it makes more sense to seek ransom from people in developed countries who have more money. For instance, a recent study revealed that 5% of companies in the US paid ransom but in Canada, the number was very high at 75%, which shows how nice Canadians are (laughs). There are some cybercriminals who even do not know how to use ransomware, so they hire other cybercriminals who sell ransomware-as-a-service, and then try to find out which company or country gives the best ROI.

Cybercriminals have now begun targeting Internet of Things (IoT) devices…

We don’t see large-scale IoT attacks because cybercriminals have not figured out how to make money here. You have so many IoT devices with so many versions of software, so it is unlikely that we will see large-scale IoT attacks in the near future.

You do hear a lot about IoT attacks by White Hats (ethical computer hackers) but that’s for fame. For example, at the recent Defcon event in the US, we demonstrated Drone hacking, etc., but it was basically to show that better security measures need to be implemented.

This March, at the CeBIT event in Hanover, for instance, we demonstrated sex toy hacking by placing a large, neon-pink vibrator on a desk and bringing it to life by typing out a few lines of code on a laptop. We got a lot of press for it. But if you want to do something bad with this, I can get to the back-end infrastructure and blackmail people by getting hold of the sensitive (and embarrassing) data of the people who use this.

Also consider the case of smart TVs. Till now, there were hardly any attempts by cybercriminals to hack these because of the different versions of software. But in China, recently, a smart TV was hacked by a cybercriminal—that is because of the now common Android OS (operating system) build. This implies that malware is used most where standardization prevails, which is not yet the case with IoT devices.

If I want to make money as a hacker from IoT devices, I would rather attack the infrastructure that connects these IoT devices to render them useless. For instance, of what use will be an IoT device that cannot connect to the cloud—it will be garbage. You can do a DDoS (distributed denial of service) on the infrastructure or steal all consumer data like health, geolocation, etc.

Are cyberattacks on the rise in the financial sector, especially with digital payments picking up around the globe?

We saw isolated attacks in those in the US on companies like Target and Home Depot (in 2014), where millions of customer debit and credit cards were put at risk after hackers broke into the companies’ payment systems. That was primarily because the US was using cards that mostly used magnetic stripes for swiping rather than the chip-and-pin system that others were using in Europe.

Also consider the banking heist in Bangladesh where the hackers seemed to be well aware of the infrastructure (in February, the hackers used the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, credentials of the Bangladesh central bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking it to transfer millions of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia). Hackers can physically open the service port of ATM machines, plug in a USB stick and get the ATM to dispense all the money held in the machine.

Earlier, most of the work was done on mainframes where every CPU (central processing unit) cycle cost money and where controls were tight because they were UNIX-based systems. Then came the age of PCs (personal computers) and users could install all kinds of software.

This is both good and bad. It means that when your in-house development team releases a new application, it needs to train the system before the application can be deployed—at least on critical systems like servers.

Android apps appear to be posing a big security risk to users.

Android, by design, is not insecure. However, the rights management in Android is not good. It allows you to access third-party apps and users do so when they are desperate to acquire popular free apps. You are relatively safe if you download apps only from Google Play.

This is not the case with iOS because Apple has very strict rules for its developers and does not allow users to download apps from any store other that its own Apple Store.

China is the biggest mobile phone market store?? but Google does not operate in China. However, the fact is that we get the biggest mobile malware from China. If Google accounts for the malware from China, then users who download Android apps from third parties and not from the Google Play store are definitely at risk.

Of late, there have been more attacks on Linux-based systems while earlier it was Windows that was the primary target…

That’s because a majority of your cloud-based systems run Linux—like your Web servers. It makes more sense for hackers to attack the infrastructure rather than individual devices. Apple is pretty immune because it created a closed ecosystem. It only runs software from a certified developer community. So is the Windows mobile ecosystem. Of course, they don’t have a market share.

Public Wi-Fi hotspots are becoming more popular. How safe are these?

Don’t use them if you don’t trust them. They are prone to vulnerabilities like the man-in-the-middle (where a cybercriminal gets between two parties and gains access to private information) attack. You must use a VPN (virtual private network) to access your company data when using a public Wi-Fi, else it can prove dangerous.

How is Trend Micro’s partnership with Interpol (International Criminal Police Organization) shaping up?

We have been working with Interpol for over two years. (The collaboration was announced in June 2013). We recently helped in the arrest of the head of an international criminal network, suspected of stealing more than $60 million through scams like the business email compromise.

Verification: 55a190b0664d6f07