The Covid-19 pandemic has pushed a lot of people into the digital world. Thanks to the threat of the virus a lot of people have had to adapt to using various digital tools to lead their lives—from working, shopping, studying, to getting entertained, paying bills, and carrying out banking transactions.
With the surge in people using online banking, banks have also had to scale up. According to experts, Covid-19 has acted as a catalyst for digital banking services. “Traditionally banks focus on three things: generating more revenues from the customer, minimising the cost of servicing the customer, and being abreast with the compliance and regulatory requirements of the land. With these focus areas in mind, the investments in the digital transformation initiatives fall into two buckets—enabling hygiene and specialised features,” explains Ranga Reddy, CEO of Maveric Systems, a 20-year-old global technology service provider in the banking and fintech space.
“With the whole Covid-19 outbreak, these investments are now in an accelerated mode. The timelines have shrunk 3X which means, the transformation programmes which were supposed to be completed in a year’s time are now being pushed to go live in a quarter,” adds Reddy, whose company counts among its clients “12 of the world’s top banks, six of the world’s top 50 biggest banks, and four of the top challenger banks”. He declines to name his clients.
Naturally, this heightened activity has attracted the attention of criminals. According to a VMWare report from last year, between February and April 2020, attacks targeting the financial sector have grown by 238% globally. No wonder that the Unisys Security Index 2020, released last year, found that one of the top concerns of respondents in India was bank card fraud—unauthorised access to credit and debit card details, and concerns around online banking and shopping.
“In general, financial services sector is prone to cyberattacks owing to the wealth of personal and financial data they possess. Also, emerging economies with an evolving regulatory and legal infrastructure become more prone to such attacks. Cyber criminals are not always caught and typically, the victims rarely get compensated and often have to bear the consequences and financial losses associated with a data breach themselves. This could be the reason why concerns around bank card frauds are high,” Sumed Marwaha, regional services vice president and managing director for Unisys India, had told Fortune India then.
According to Reddy, most banking frauds in India are primarily composed of credit card frauds, especially incidents of card cloning, which have seen a significant rise over the years. While India was one of the first countries to adopt the instant payments system, or the QR code-based system, a very secure one for banks and customers, Reddy says that on the cards front “lack of adequate end-point security at the device level is exposing the customers to the fraudulent transactions”. Impersonation frauds have also increased over the years, where data thieves obtain KYC credentials through online phishing via social media or e-mail, he adds. “The lack of a multi-layered approach to identify frauds has been one of the reasons that financial institutions are not being able to prevent such frauds,” he says. “India is a soft target when it comes to cyber fraud such as phishing, ATM PIN-based, or OTP-based frauds.”
How then does one guard against such frauds, especially since those new to the banking sphere might not be aware of security protocols. According to Reddy, educating customers would be key to avoiding bank frauds. "I already see that many leading private and public sector banks are making their services available in the Indian languages. However, concerted efforts need to be taken in the direction of financial literacy in the Indian languages." He suggests that the regional rural banks be entrusted with the task of educating the rural population of India. "Since they are localised, they have local network strength and they also govern local institutions."
Mobile phone manufacturers too could play a key role in avoiding fraudulent transactions, suggests Reddy. "If the government of India mandates to implement certain security standards on the mobile devices as a bundled feature, it will serve as a great control mechanism for fraud prevention."
However, not all frauds take place at the customer’s end. “While frauds at the customer’s end are more perceivable, there has been a rise in cybercrimes in business email compromise against financial institution executives. The banking ecosystem is highly integrated, and banks have to rely on alliance partners (such as fintech solutions) and third-party vendors in banking operations, making them vulnerable to their security infrastructure,” says Munjal Kamdar, partner, Deloitte India.
Banks in India have been adopting digital technology at a very rapid pace. I believe the banks and the cybersecurity teams as part of the government machinery are doing a great job. I can confidently say that our systems are one of the most secure banking systems in the world.Ranga Reddy, CEO, Maveric Systems
According to a recent McAfee report, entities that use cloud-based email services, especially in the finance and business sectors, are lucrative targets for cyber-criminals who conduct business email compromise (BEC) scams. The report says that according to the FBI’s Internet Crime Complaint Center (IC3), there has been a steady increase in BEC scams since 2014, with the IC3 receiving complaints totalling actual losses of more than $2.1 billion from BEC scams between 2014 and 2019. This means that BEC scams are growing in volume and users are struggling to maintain the security of their account, the report explains. “As more employees turn to remote working on personal and company devices during Covid-19, as well as conducting virtual financial transactions, this could create a more fertile environment for BEC phishing scams targeting the financial sector,” the report says.
How do organisations prepare for such risks? According to Seshadri P.S., senior director, governance, risk and compliance, Office of the CISO, Unisys India, it is imperative for organisations to invest in information security and to use the advantage of tech solutions like biometrics, credential management, restricted access and so on. “While some companies in the BFSI sector have invested in biometrics at some level, they can further invest in data analytics and artificial intelligence to strengthen their security infrastructure, he adds. He suggests that banks can incorporate more advanced offerings such as “telephone voice authentication, real-time facial recognition for ATM authentication and digital onboarding,” he says.
For employees working from home, Seshadri recommends the companies educate them about potential security concerns and “empower them with the right tools and skills to defend themselves and the organisational data from malicious attacks”. Organisations should adopt “new paradigms like Zero Trust that are scalable and include always-on encrypted direct access, identity verification tools, and a software-defined perimeter to limit the damage from malware getting in,” he adds. And use biometrics for additional security. “Additional security controls such as multi-factor authentication, or even biometric logins such as facial recognition or fingerprint scans can further secure IT assets that are used to access company networks,” he says.
While attacks targeting the financial sector have gone up, the McAfee report says that “there have been fewer dramatic successes is a tribute to the intense effort the sector has put into cybersecurity both at individual institutions and collectively”. In fact, the report adds, that a survey conducted in 2018 by the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber intelligence sharing community solely focussed on financial services, found that financial institutions spend (depending on their size) between 6% and 14% of IT budgets for defence.
Agrees Reddy. “Banks in India have been adopting digital technology at a very rapid pace. I believe the banks and the cybersecurity teams as part of the government machinery are doing a great job. I can confidently say that our systems are one of the most secure banking systems in the world,” he says.
Ultimately, it comes down to awareness. “Banks should make it a point to communicate the steps taken by them to provide a secure digital platform to their customers, and allay their concerns. Last, but not the least, banks should also educate their customers about the various types of cyberattacks that could be targeted at them and how to stay safe in the face of these attacks,” Seshadri signs off.