Our biz, banks, mobile and Aadhaar-based payments are under grave cyber-threat. Yet, India is a late riser.
The world has been reading about Russian and Chinese hackers getting accused of tearing into US government and Democratic Party databases, or the US breaking into European leaders’ data, or the high-minded objective behind Wikileaks. Now, it seems India is under cyber-attack.
Last month, websites and databases of seven Indian missions in Africa and Europe were hacked and sensitive data was reportedly put online by hackers. In October, in one of the financial sector’s biggest cyber attacks, details of over 30 lakh debit cards from leading Indian banks were compromised and leaked from ATMs.
This month, a group called Legion claimed to have hacked Twitter accounts of Rahul Gandhi and Vijay Mallya. They also announced that the Indian banking system and the popular mobile wallet Paytm, were vulnerable and could be easily hacked into.
As the government leads a digital drive with an aim to make India a cashless economy, the threat of cyber attacks looms large. What is a matter of concern is that India is hardly prepared to face a breach of its cyber security. Worse, there is hardly any legal protection for possible victims.
Mobile phones, which more Indians are using for transactions in the push following demonetisation, are particularly susceptible. Indeed, a study by Assocham and Ernst and Young says mobile frauds are expected to grow to 60-65 per cent by 2017.
In June, Russian software security firm Kaspersky Lab said that India was among the top five countries to be attacked by ransomware—software that blocks access to programmes until people pay online ransoms. The lab recently said that one-third of ransomware incidents in the Asia Pacific in the third quarter of 2016 happened in India.
With primitive protection, India is living in dangerous times. In addition, even this unpreparedness in the face of impending threats hasn’t forced Indian firms to thinking about securing their systems anew. The government is also slow to address the danger.
Says Mohan Jayaraman, MD, Experian Credit Bureau, India, “As more consumers access multiple channels, including online and mobile, fraud continues to evolve. It’s underpinned by a combination of ID theft, false identities, and organised gangs carefully developing fraud networks and account takeover—where personal data can be stolen to hijack an existing account.”
Globally, cyber attack incidents have increased in the last two years. According to a report led by Verizon, there were 1,00,000 incidents of security breach in 2015 while in 2016, there have been over 2,200 incidents of data breach alone. Of these, over 900 involved phishing. About 89 per cent had financial or espionage motives. Surprisingly, only 10 per cent were discovered.
Says cyber security expert Kshitij Adlakha, “We live in a networked world, from personal banking to government infrastructure. Protecting those networks is no longer optional. In many firms personal user information, credit card information and email accounts have been compromised. In some companies, cyber criminals stole money from accounts, carried out industrial espionage and even took over company systems and demanded ransom to unlock them.”
The Indian banking system is especially in danger. While the Legion group has said that the banking system is ‘deeply flawed’, a large number of (mostly public sector) banks does not have adequate security systems. “There have been glaring data leaks in major banks but in India repercussions are low, so that these banks’ investment on security is also low. The potential for leak of private information is very high,” says online security expert Aravind R.S.
Most disconcertingly, a majority of our ATMs are vulnerable and can be hacked into anytime. Almost 75 per cent of India’s 2.3 lakh ATMs use Microsoft’s XP operating system. With Microsoft discontinuing support for XP based systems since 2014, they are a low hanging fruit for hackers.
Thoroughly alarmed by the security situation, the RBI in June asked all banks to instal a comprehensive security system and prepare a Cyber Crisis Management Plan. While it’s still work in progress, hackers are getting better. Vinayak Godse of Data Security Council of India (DSCI) says, “Security is always a tradeoff as no system is 100 per cent secure as you open your system to various channels. While systems are becoming sophisticated, attackers are becoming more advanced and smarter.”
The other area with little protection is mobile wallets. Experts point out that beyond the personal security of the phone, money in a mobile wallet is easy picking. If a phone is stolen, anyone can have access to a person’s mobile wallet, as companies like Paytm, which has over 50 million users, do not use a two-way or a password-based authentication system, meaning they can be hacked into anytime.
But Aadhaar-based payments, which the government is pushing aggressively, seems to be staring at the biggest threat. A break-in can compromise not just a person’s personal data but also his bio-metric details. Pranesh Prakash, policy director of the Centre for Internet and Society (CIS) says, “Aadhaar-enabled payment without PIN and password is bad design. A merchant accepting Aadhaar-based payments, who has access to personal data and fingerprints, can misuse any of that. Yet the government is going ahead with it.” At every point where Aadhaar is used for payment or for KYC requirements, the data can be stored by the intermediary, making Aadhaar most vulnerable to cyber attacks.
In fact, identity theft in India through cyber attacks constitutes a clear and present danger, because of primitive systems for identity protection. Says Samir Shah, CEO of security company Aurionpro, “The US and Europe now have 3rd and 4th generation ID management systems.... India is barely 1st generation in this.”
What makes India unique is the near-absence of legal protection, as the IT Act is just an overarching law with few provisions for specifics and almost none for cyber attacks. “Barring a few clauses in the IT Act, there is no specific privacy law in India and nothing to protect data breach. The US and Singapore have overhauled their laws. The government did announce the National Cyber Security policy a few years ago but nothing has moved on it,” says Ashish Thapar, managing principal, APAC, Verizon Risk Team.
Appallingly, there is no protection for consumers under the IT Act in case data is stolen. “In terms of cyber security you only have section 43 A, which says that a company needs to have adequate security practice. It doesn’t specify what is adequate, what kind of audits are to be conducted or what checks are required for compliance. There are also no minimum standards,” says cyber law expert Asheeta Regidi. Under the law, consumers have protection only if a company has not complied with the Act in terms of having a security practice. If it has complied and data is stolen the consumer has no remedy.
Experts feel attackers will shift focus from large companies to small and medium businesses. According to Juniper Networks, while hackers have traditionally targeted enterprises with large amounts of data and deep pockets, they will focus more on smaller businesses—easier, softer targets that can be sponged for quick money. It can be devastating and possibly bankrupting for small organisations. Says Anand Ramamoorthy, MD, South Asia, Intel Security, “Small and medium enterprises and customers from tier 2 and 3 cities as well as banking companies are most vulnerable. We are falling short in prioritising security and not putting it as a cost add.”
As a knee-jerk reaction to the danger, the Centre has taken a series of steps to combat cyber intrusions. It has set up two teams under its cyber emergency unit, Computer Emergency Response Team (CERT-In), one to respond to cyber attacks and the other to monitor digital payments. It has also set up a committee under Department of electronics and IT secretary Aruna Sundararajan to look into these issues.
Following the Legion attacks, the Ministry of Information Technology has ordered an audit of the financial sector, starting immediately with the National Payment Corporation of India (NPCI).
It has also announced the setting up of the National Cyber Coordination Centre (NCCC), to be operational by March 2017, to provide real-time situational awareness and rapid response to cyber attacks. To have legal protection against online attacks, the IT ministry has also ordered a review of the IT Act 2000. Recently, Nasscom and DSCI launched a detailed roadmap for the next 10 years, under which it will look at systems to protect India from cyber attacks. The government is also preparing for the launch of its BotNet centre, which will help disinfect devices as part of efforts to protect citizens online.
However, looking at the increasing sophistication of cyber attackers, these measures could be a case of too little, too late. With a resolve to take India to the next level of digital development, the government will have to jump to the next generation of cyber protection through advanced systems and more evolved legislation. Unfortunately, it lags behind in both. The government’s actions in the next few months will show whether India will be able to withstand the dire threat of cyber intrusion.