The convenience of digital banking with the assurance of security

“Falling prey to ‘make money by online trading’ ads, Andheri woman loses Rs 15.5 lakh”

“Two men fall prey to online fraud: Lose money”

“Trying to return spoilt milk, Bengaluru woman loses Rs 77,000 to cyber fraud” 

These are just some of the recent headlines in India’s newspapers. Anyone who follows the news in the country regularly will have undoubtedly come across many more examples.

"Consumers have become quite savvy at using digital products while paying very little attention to cyber hygiene."

Cyber crime is quite commonplace in India. In 2023 alone, 1.13 million cases of financial cyber fraud were reported in India, totaling 7.5 billion rupees (~83.1 million euros). What is the reason for this dismal statistic?

Pinakin Dave is a cyber security expert and country manager, India and SAARC at OneSpan, one of Deutsche Bank’s vendors. He explains: “One of the leading causes of this is that consumers have become quite savvy at using digital products while paying very little attention to cyber hygiene.” Case in point: in 2023, Indians conducted 117 billion digital financial transactions, valued at 18 trillion rupees, using the United Payment Interface (UPI) system. Just seven years ago, in the first full year after the launch of UPI, the number of transactions stood at only 418 million, with a total value of 570 billion rupees.

UPI is a digital payment platform in India, which offers customers a mobile phone-based application to send and receive money instantly. This digital form of payment was launched in the middle of 2016 and gained popularity after the government of India carried out a demonetisation exercise at the end of the same year, with a view to curbing India’s shadow economy and returning hoarded cash into the banking system. Overnight, 500 rupee and 1,000-rupee currency notes, constituting over 85 percent of the country’s cash in circulation, were rendered worthless, leading to a severe liquidity crunch in India’s cash-first economy.

With the shortage of cash and long lines at banks to exchange the now-redundant currency notes, digital forms of payment started gaining popularity. Very soon, street vendors and large stores across the country started displaying their personalised QR codes to receive payments via UPI.

That was not all. Rising disposable incomes, low-cost smart phones and affordable internet plans have led to a rise in smart phone usage, adds Dave. “People are spending much more time online. Whether for education, banking, travel or shopping, smartphones are people’s first choice.” India has around 800 million active internet users and some estimates claim that people in the country spend an average of three hours every day on the internet. According to Dave, this changing trend is providing a wider playground for cyber criminals to operate in.

"People are still falling prey to simple tactics because cyber criminals take advantage of their greed, fear and vulnerability."

Who is responsible for cyber security?

Several parties are involved in online financial transactions. Financial services providers, technology providers, regulators and, of course, those who use these financial services. While each of these parties play a crucial role in ensuring safe financial transactions, Dave feels that consumer behaviour is the generally weakest link.

“Many organisations are investing heavily in protecting their customers. Regulators are also providing strong frameworks for safe online banking, but human behaviour is not keeping pace,” he says. “People are still falling prey to simple tactics because cyber criminals take advantage of their greed, fear and vulnerability.” Several studies show that nine out of 10 cyber attacks start with phishing, a term which refers to criminals tricking users into divulging sensitive data or downloading malware, leading to loss of information and money.

India’s central bank and regulatory body, the Reserve Bank of India (RBI) and market regulator the Securities Exchange Board of India (SEBI) have issued guidelines for digital products and services, provided by financial institutions. For example, the RBI’s Digital Payments Security Controls provides financial institutions separate guidelines for internet banking, mobile banking and card payments. The guidelines make it mandatory for financial institutions to educate consumers about staying safe when using digital payment products or related services.

What role does OneSpan play?

Dave says that OneSpan looks at security holistically, from the perspective of the device, the user and the application that is used for the financial transaction. “We want to make sure that our clients have a convenient banking experience, with the assurance of security,” he says. Elaborating further, “Many of our clients, including Deutsche Bank, are using OneSpan’s App Shielding product which stops the banking application if a screen sharing application is active on the mobile device, while also detecting and monitoring various malicious activity on a user’s mobile device. This works in the background and protects consumers even when their own behaviour can cause them a loss.”

This is an important feature, because there have been several cases of fraudsters tricking consumers into downloading screen sharing applications and then asking them to carry out financial transactions, which exposes banking credentials and one-time passwords. Early detection of anomalously changing patterns of behaviour on users’ devices leads to identification of new types of malware or attacks and allows organisations to react before it snowballs into large waves of fraud. 

In India, online financial transactions require more than one type of authentication, which is usually a message with a one-time password, along with the log-in password. However, this may fall short, if the person’s phone is infected with a malicious application such as a message forwarder. This is why OneSpan is going a step further. OneSpan’s proprietary CRONTO technology is helping overcome this, explains Dave. “We provide customers with an encrypted colour quick-response (QR) code to authenticate financial transactions. As opposed to a generic black and white QR code, CRONTO can be read only by a specialised mobile application or an authentication device. This means customers will not use their normal mobile camera app to scan the QR code which is one of the avenues for malicious actors to push fraudulent links into users’ devices.” 

OneSpan also provides advanced hardware-based authentication solutions – including CRONTO and FIDO-powered authenticators. “Banks need to ensure that every user both in retail and corporate banking is protected against phishing and man-in-the-middle attacks, thus having a strong option for users that do not want to rely solely on unprotected mobile devices is a great assurance for banks that all their customers will stay safe,” Dave says. 

The company works with banks, healthcare and professional services firms, providing them with products and services ranging from identity verification to secure video collaboration for virtual transactions. “Our firm invests heavily in studying the latest trends in cybercrime, understanding the modus operandi of cyber criminals and developing security products to bridge the vulnerability of digital products.” According to the company, 60 percent of the world’s largest banks are their clients.

Our system creates instructions that only the user’s devices can consume and transform into a very intuitive user experience, which raises awareness of potential risks and allows them to react in the most secure manner.

As technology is evolving, banks are using modern tools to protect their customers. “We have products such as Intelligent Adaptive Authentication which uses real-time decision engine that operates with big data, creates easy and fast-to-process data blocks and generates security decisions that are personalised to a user’s account history, device preferences and behaviour patterns. The system creates instructions that only the user’s devices can consume and transform into a very intuitive user experience, which raises awareness of potential risks and allows them to react in the most secure manner.” says Dave. “Most of this takes place in real time and in the background, providing our clients with a seamless experience which meets the highest standards of security and strict regulations.”

What can end users do to protect themselves?

Despite advanced security features in mobile banking applications, Dave warns that users of financial services are often the weakest link in the security chain because even a brief lapse in safe practices can cause severe financial damage. Illustrating this, he adds: “Very often people tend to give their children their mobile phones to play games or watch videos, while leaving them unmonitored. They may end up clicking on a link or downloading a game that contains malware, exposing them to cybercrime. Children could unknowingly, and unknown to their parents, download an application that forwards messages. Criminals could then gain access to one-time passwords and use that to siphon money from an account.” Along with children, Dave says that it is also very important to pay special attention to educate the elderly about safe online behaviour as they make easy targets for cyber criminals.

Advancing technology can be used for the convenience of financial transactions, but on the flip side, cyber criminals also have access to these same tools, making crime even more sophisticated. In recent times, cyber criminals are known to use artificial intelligence to impersonate family members or friends to trick people into willingly sending money to unknown accounts. It is important to verify the authenticity of the caller before transferring any money. He suggests making a call to the actual number of the known friend or relative before taking any action. “Very often, presence of mind and simple checks are all it takes to keep your financial transactions safe.” 

digital payment security India
Blog

Exploring authentication methods to strengthen digital payment security in India

The Reserve Bank of India introduced a draft framework to further enhance the security of digital payments. Learn about RBI's new MFA requirements.

Read now

This article by Ashish Saldanha was first published on the Deutsche Bank website in September 2024. 

About Pinakin Dave
Pinakin Dave currently serves as the Country Manager for India and SAARC (South Asian Association for Regional Cooperation) at OneSpan. With a wealth of experience in the IT sector, Pinakin is a seasoned professional renowned for his expertise in cyber security, particularly within the enterprise business and financial services domains.

Over the span of more than two decades, he has consistently demonstrated his leadership abilities, having worked extensively with Fortune 500 companies. His academic background in cyber law and international business further enriches his skill set, making him a valuable asset to the industry. Pinakin's contributions to the cyber security field have earned him prestigious industry awards, solidifying his reputation as a distinguished leader in the sector.

About Ashish Saldanha
As the author of this article, Ashish Saldanha believes in the power of technology to transform financial services and more importantly, the role it can play in fighting financial crime. In his day job, he works as a communications specialist for Deutsche Bank’s Technology, Data & Innovation division.