How Safe Is Your Money In Mobile Wallets?

New Delhi: 17 million user records were stolen from Zomato, an online restaurant discovery and food delivery service a few weeks ago and just on Tuesday (May 30) news broke that nearly 36 million Android devices were infected with the Judy Malware which possibly can steal details like credit card information and passwords from a phone. Repeated incidents like this prove that threats to sensitive data stored in phones and digital payment systems and very real and fears of this breach is one of the biggest concerns.

Considering that, particularly post-Demonetisation, mobile wallets have become one of the most popular digital payment methods in the country, a question that many naturally have is-how safe are they?

Also Read: Go Cashless With These Mobile Wallets In India

Cyber security expert Rakshit Tandon who is Director at the Council of Information Security believes that these apps themselves are quite safe. However, he does say that while mobile wallet companies actually have great internal measures in place to secure user data, security has not been the core focus while developing these products.

"Unfortunately the approach has been reactive and not proactive. Only once when there is a breach, data is compromised, are steps taken. Additionally, many users do not know how they can stay safe," Mr Tandon says, "Some wallets have taken up security seriously and created their own R&D cells and teams of ethical hackers but more needs to be done. A complete marriage of all stakeholders is important like the website, gateway, server, wallet and apps."

So what exactly are mobile wallets doing to ensure that user details and money is not compromised?

Mobile Wallet companies like Paytm, MobiKwik, Freecharge and Citrus Wallet are Payment Card Industry Data Security Standards (PCI-DSS) compliant, which means that they follow stringent procedures to secure their data and these systems are annually audited by Payment Card Industry Security Standards Council. This ensures that their security standards are at par with those followed by credit card companies.

"No third party cannot log into that system. The PCI-DSS system means that only certain IP addresses can connect to the system and get the data," explains Vijay Shekhar Sharma, Founder and CEO, Paytm.

"Every company has policies related to what data will be kept in a secure system and what will be kept in the public domain. As far as Paytm is concerned, user data is PCI-DSS data which means that it is as safe as a debit/credit card's information," Mr Sharma tells NDTV.

Rohan Khara, Head of Product Management at MobiKwik, says that similar methods are used by MobiKwik to keep data safe.
 

"MobiKwik takes security very seriously and puts it at the centre of all user interactions. It is PCI-DSS and ISO27001 certified, takes care of the various information security measures to ensure the integrity of the application and protect from emerging threats and frauds," Mr Khara says.

Additionally, the Reserve Bank of India's Security, Fraud Prevention and Risk Management Framework requires all mobile wallets to provide separate logins for users, mechanisms to lock out users after multiple invalid attempts to log in and a system of additional factor of authentication for authenticating transactions in mobile wallets, among other things.

The Reserve Bank of India also requires companies to develop systems to detect and prevent fraudulent payments as well as conduct velocity checks (monitoring transaction patterns and user history) on the transactions to detect suspicious behaviour.

Mobile Wallets have also begun offering people the option of putting a patter, numeric or biometric barrier which needs to be punched in when the app is launched.
 
"Your phone may be stolen and the your wallet can be exposed. This was a very glaring error that was pointed out to us during the demonetization days. So what we have done is that whatever people have as their phone locking features-some people have patterns, some people have thumb scans-this can now be replicated on your pay or passbook features. So when you want to make a payment through Paytm, you have to enter another password or your thumbprint," says Mr Sharma.

MobiKwik also encourages its users to add this extra layer of protection.

"As an imperative security measure, MobiKwik users are advised to put a security PIN and/or enable biometric login. Users should enable these security measures to ensure that their MobiKwik account has another layer of security, in addition to the phone password," says Rohan Khara.

The Big Problem: Educating Users To Stay Safe

However, when it comes to digital payments and mobile wallets, in particular, one of the biggest gaps in security remains the fact that people do not know how to secure their smartphones and are susceptible to falling prey to fraudsters.

"Users do not realise that their social media accounts can be accessed by anyone who accesses their phones. They also often click on links and download apps that compromise their details. For instance, it's estimated that 36.5 million Android phones have been infected with the Judy malware. I've heard of so many cases in which someone's social media is compromised and the hacker requests a money transfer from one of their friends through a mobile wallet by sending a message through this account. The person on the other end will just think it's a friend asking for money and will give it," says Rakshit Tandon.

Similarly, fraudulent calls requesting a person's account and personal information remains a huge security threat.

"We have to remember that the biggest reason for hacking or frauds in this country is when consumers gullibly accept a call and believe that this is coming from a legitimate source. No payment system ever calls a customer for information about their accounts. Remember that every nut and bolt of an account already exists with a payment or mobile wallet company," says Vijay Shekhar Sharma.

Share this story on