On 8th November, 2016, our honorable Prime Minister Shri. Narendra Modi, in his speech addressing the nation, announced that the currency notes of denomination 500 and 1000 would cease to be legal tender from the midnight of November 8. Following are key points concerning the currency ban (source: The Hindu):
- These notes can be deposited in banks between Nov. 10 and Dec. 30
- Banks will also exchange these notes up to Rs.4000 till Nov. 24. To exchange currency notes this form needs to be filled up and submitted to the bank along with a photocopy of a valid government issued photo identification. Original of the photo identification is also required to be shown at the time of exchange.
- Post Dec. 30, these notes will be accepted only by the Reserve Bank of India along with a written declaration
- For a few days, only up to Rs. 2000 a day can be withdrawn from ATMs; this will be raised to Rs. 4000 later
- New Rs. 500 and Rs. 2000 notes to be released later by RBI
- Exchange facility for upto Rs. 5000 for arriving and departing passengers who have Rs. 500 or Rs. 1,000 notes. Foreign tourists will be able to exchange foreign currency or old notes of not more than Rs. 5,000 into legal tender.
- Cash withdrawal from a bank account over the counter will be restricted to Rs.10,000 subject to an overall limit of Rs. 20,000 in a week for the first fortnight, i.e., until the end of business hours on November 24, 2016.
This sudden strike by the PM is aimed to curb the growing menace of duplicate currency, black money and terrorism funding. Whether it would be successful or not only time will tell but this move will surely lead to increased reliance on net banking, online transactions, mobile wallets etc. At present, there are no limits set on the amount of money that can be transferred through online transactions. Given the long queues at banks and post offices and drained ATMs, this would be the preferred mode of payments for various utilities (electricity, water, phone etc.) and other consumer goods and services, at least for days to come.
Terrorist and underworld organizations would be one of the major sufferers of this move. Pressed to replenish their funds, they may turn to the cyber world with increased perseverance. They’ll explore new threat vectors and zero day vulnerabilities to perpetrate a breach. The recent debit card breach is a major example of this.
The question that needs to be asked then is:
- Do organizations providing financial services have sufficient controls in place to ensure that such transactions and services remain resilient to increasing cyber attacks despite the increased volumes?
Do cashless transactions matter that much?
Following are the four major channels through which cashless transactions happen:
- Retail Purchases Through ECS
- ECommerce Industry
- Online Payment of Utility Bills, Recharge etc.
As reported by The Economic Times, paper-based transactions cleared through cheques in FY 2015 (April 2014 – March 2015) summed up to INR 85 lakh crore (US$1.33 Trillion) whereas cashless transactions through credit card, debit card, NEFT, and online wallets comprised of INR 92 lakh crore (US$1.43 Trillion). The total transaction amount in India – exclusive of cash transactions – reached $2.76 Trillion in FY15. In the wake of the currency ban, this number would go up, increasing the impact of a cyber security breach on the IT infrastructure of banks, payment gateways, mobile wallet providers etc.
Types of attacks
As per a report published by Deloitte, following are the major threats that plague the financial sector:
Cyber criminals have demonstrated their ability to exploit online financial and market systems that interface with Internet, such as the Automated Clearing House (ACH) systems, card payments, and market trades.
Fraudulent monetary transfers and counterfeiting of stored value cards are the most common result of exploits against financial institutions, payment processors, and merchants.
ATM skimming is also a prevalent global cyber-crime. A criminal affixes a skimmer to the outside or inside of an ATM to collect card numbers and personal identification number (PIN) codes.
Point of sale terminals
Point of Sale (POS) terminals have been a primary target for cyber criminals engaging in credit card fraud and have resulted in the compromise of millions of credit and debit cards the US.
Mobile Banking Exploitation
As more mobile devices have been introduced into personal, business, or government networks, they have been increasingly
targeted for stealing PII. Cyber criminals have successfully demonstrated man-in-the-middle attacks against mobile phones using malwares.
Impact of financial frauds
The following figure depicts the loss suffered by victims of various types of financial frauds between June 1, 2014 and December 31, 2014:
Safety tips for online secure transaction
As per a paper published by the International Journal of Advanced Research in Computer Science and Software Engineering, titled ‘Online Banking and Cyber Attacks: The Current Scenario‘, following precautionary measures could keep consumers safe while performing online transactions:
- If the network is not properly secured – a void online banking, shopping, entering credit card details, etc Check your online account frequently and make sure all listed transactions are valid
- Never ever click on a link – Be extremely wary of e-mails asking for confidential information they could be phishing e-mails from fraudsters. Do not click on link given in a spam e-mail.
- Always delete spam – delete spam e-mails immediately and empty the trash box to prevent clicking on the same link accidentally.
- Beware of lotteries – please beware of lotteries that charge a fee prior to delivery of your prize. Do not respond to lottery messages or call on the numbers provided in the text messages.
- Check if the website is secure – While using a credit card for making payments online, check it if website is secure
as the CVV will also be required for online transactions, is printed on the reverse of credit card. Do not provide photocopies of both sides of the credit card to anyone. It can be misused by the fraudsters for online purchases.
- Notify your bank/credit card issuer – if you do not receive the monthly credit card statement on time, if a credit card is misplaced or lost, immediately inform to your bank/ credit card issuer.Do not share bank credentials in public or over phone.
Uday Mittal (OSCP, Associate CISSP, DCPP) is the founder of Yaksas CSC. He has over 4 years of experience in dealing with various issues related to cyber security. He is actively working towards educating people on cyber security risks and steps to mitigate them. He’s also a member of (ISC)2, ISACA and DSCI.