Electronic payments in India lack in security standards

A recent study by IIM-B has concluded that all is not well with e-payments, which witnessed a surge post-demonetisation. To assess security risks with electronic transactions, the researchers conducted experiments with five popular payment gateways in four broad categories –wallets PayTM, FreeCharge, direct link with users’ bank BHIM, specific bank’s app for account holders iMobile by ICICI Bank, and basic USSD service dialing *99#.

However, the study clarified that the evaluation was conducted between December ’16 and January ’17, and some of the concerns raised in the study may have been addressed and some new concerns may have cropped up. The study, in that respect, shouldn’t be seen as static analysis as each interface evolves continually. To validate the study six key security principles were taken into account based on Basel Committee’s Risk Management Principles for electronic banking and the Reserve Bank of India norms for electronic transactions.

The six factors that were considered for evaluating the security aspect of the five popular electronic payment gateways were confidentiality, transaction non-repudiation management, authentication of the identity of the customers, data and transaction integrity, access and availability and privacy of customer information.

The study was done by Abhipsa Pal, FPM student, Decision Sciences and Information Systems along with Sai Dattathrani, manager, Centre for Software IT Management and Dr Rahul Dé professor, Decision Sciences and Information Systems, which concluded that the security risks related to electronic transactions through mobile payments are high due to various technological and other reasons.

The study established that potential for confidentiality breaches was a problem observed for all the mobile payment methods, except USSD. Unauthorized access to the phones can reveal all details about transactions made for Paytm, Freecharge, iMobile and Bhim. The Paytm app has an unusual and unreasonable access to the one-time password sent by a partner bank. The study established that the management of the transactions, for subsequent rejection, if needed, was inadequate for all the payment methods. There was no evidence of systematic analysis of transaction patterns with a warning to users of unusual or problematic transactions. For instance, if multiple, repetitive transactions are made in a very short period of time, this is not flagged by the payment systems. The lack of this feature is potentially harmful.