NPCI Launches Money Transfer ServiceCan UPI Model Enable Secure Authentication?
The National Payments Corporation of India, the umbrella organization for all retail payment systems in India, has rolled out the new Unified Payment Interface service for smartphone users to simplify mobile funds transfers, with the norm of single factor authentication for any transaction. However, banking security experts caution that while UPI enables a convenient transaction, NPCI must take pains to ensure a robust security architecture to address potential risks.
The initiative is also in line with the Reserve Bank of India deputy governor's recommendations to the banks to see mobile banking as an avenue for cost saving, rather than revenue generation, to align with the government's agenda of financial inclusion, a mechanism for delivery of financial services at affordable costs to the disadvantaged and low-income segments of society.
As per the RBI, the number of mobile transactions has surged to 94 million in 2013-14, compared with 53 million in 2012-13. This is only going to soar in this year, given the 900 million mobile phone users in India.
But Sameer Ratolikar, senior vice president and chief information security officer at HDFC Bank, urges caution.
"While UPI provides users a convenient transaction and boosts financial inclusion," he says, "one should ensure a robust security architecture is in place to address potential cybersecurity threats arising out of it."
UPI enables account holders to send and receive money from their smartphones with a single identifier - Aadhaar number, (which is a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India. This number will serve as a proof of identity and address, anywhere in India), mobile number, virtual payments address - without entering any bank account information. It's essentially a single-factor authentication process.
"This unified layer, which offers next-generation peer-to-peer immediate payment just by using a personal phone, uses existing systems such as IMPS, AEPS, to ensure settlement across accounts," says A P Hota, managing director and CEO, NPCI. "The use of existing systems ensures reliability of payment transactions across channels."
UPI is a standardized, adoptable, secure and cost-effective interface. Once formulated, the standardized API, designed for enabling different forms of payment beneficial for mobile application and other channels, can be integrated into the NPCI infrastructure.
According to NPCI sources, UPI will make payments possible by only providing an address, without any account details or credentials on third-party applications or websites. It also has the ability to send collect requests to others (person to person or entity to person) with "pay by" date to allow payment requests to be "snoozed" and paid later before the expiry date, without having to block the money in the account until the customer is ready to pay.
Hyderabad-based Milind Rajhans, assistant general manager-IT and chief information security officer at the Andhra Pradesh Co-operative Urban Bank Ltd., says that the objective of UPI is to offer the architecture and a set of standard APIs to facilitate next-generation online immediate payments, leveraging trends such as increasing smartphone adoption, Indian Language Interface, and universal access to Internet and data.
Some advantages of UPI, as one source observes, include its ability to use the personal mobile phone to "pay" someone (push) as well as "collect" from someone (pull). Users can pre-authorize multiple recurring payments similar to ECS (utilities, school fees, subscriptions, etc.) with a one-time secure authentication and rules-based access. All payment systems require the use of a standard set of APIs for any-to-any push and pull payments. It has the ability to have PSP-provided mobile applications that allow paying from any account using any number of virtual addresses using credentials such as passwords, PINs or biometrics (on phone).
But Is It Secure?
Security experts do see the benefits from this service, as the architecture is well within the regulatory framework of mobile and e-commerce transactions having two-factor authentication.
However, practitioners express security concerns; they think that the increase in encryption due to the heavy data traffic will emerge as a challenge. "A lot of institutions will be taken by surprise when they realize that the uptake of encryption channels prohibits them from understanding what enters or exits their networks," Rajhans says. "Not only do they enable data to move out with ease, they also vastly increase the attack surface of an organization."
Ratolikar adds: "While the initiative will enhance new mobile service capabilities and enhance business growth for banks, it would be a disaster if the banks don't leverage people, processes and technology effectively, sufficiently backed by effective monitoring security tools. People need to be extra sensitive to risks like vishing and smishing on a regular basis, and have processes in the form of secure registration to protect against fraudulent registrations and replay attacks."
Some of the challenges that security leaders foresee are from "shadow IT" services that require some level of visibility and perspective on how IT is being used in an enterprise environment. Without it, they say, a security leader cannot do any meaningful risk calculations, given the volume of transactions with the UPI model. They emphasize the need for CISOs to gain visibility into what services and data are being used and how they can be aligned to business priorities.
Best Security Measures
Rajhans lists three key aspects to ensure a secure transaction via the UPI process:
- Conduct all APIs over a secure channel HTTPS;
- Audit transaction data for an appropriate number of years;
- Ensure unique transaction ID generation, digitally signed messages and fully integrated API for all types of transactions
Some of the security controls that Ratolikar recommends include having SIM duplication tools in place, or a cap on the transaction amount that could help as a check on the genuineness of the transaction.
The use of standards such as PCI-DSS and ISO 27001-2013 is recommend for implementation by organizations involved in the processing of payment transactions. "Such standards give comfort to stakeholders and improves the overall security posture of organizations in all phases of the data life cycle, like data creation, processing, storage, purging, etc.," Ratolikar says.