While phishing attempts are nothing new, most cardholders in India consider themselves safe enough, thanks to the two-factor authentication of card transactions in the country. To initiate a card transaction in India, one first needs to accurately enter their card number, card expiry date and the CVV code, following which transactions are verified through a one-time password (OTP). This process is known as 3D authentication of transactions, done at the gateway end of payment servers. This, though, does not necessarily mean that card users in India are particularly safe, thanks to sophisticated phishing methods.
OTPs or no OTPs
The issue came to light when Noida resident Neha Chandra recently lost her wallet during a trip to Europe, and subsequently had nearly Rs 1.5 lac stolen from her debit and credit cards, before she could have her cards blocked. While the factor of non-OTP transactions pose a threat to cards outside India, the same can happen for anyone even based in India, says Manan Shah, founder of cybersecurity consultant Avalance Global Solutions.
Shah says, “In India, the advantage is the presence of 3D authentication in card transactions. However, there are many large scale websites in India, which do not offer a 3D authentication gateway for transactions. The real difference here is that 2D transactions do not offer the added OTP verification. Further frauds also happen through the point of sale card machines, some of which do not need a PIN or even to swipe a card, in order to make a transaction.”
Dhiraj Mishra, an independent cybersecurity researcher, echoes Shah’s thoughts on the matter, and states that despite the usage of OTPs, such frauds also happen in India. He says, “Adding OTP during any transaction gives one more layer of protection. Countries in Europe haven't started this yet, but a few banks in UAE have accepted this as a best practice, and added OTP during any transactions that happen.”
Poor coding and weak card machines
Shah explains that fraudulent card transactions are not only common, but fairly easy to do for malicious users. Explaining the use cases of such frauds done outside India, similar to what Chandra recently faced, Shah says, “In Dubai, fake gateways keep functioning and withdrawing money from cards for as long as a month, even after 90 percent transactions receiving complaints from authorities.”
Mishra further adds, “I've seen several breaches in the past for some banks in India even after adding such a layer of protection, and the reason for that is poor coding, which leads to OTP bypass. Also, entities such as banks and their CDE environment should be PCI DSS compliant to be more secure.” The PCI-DSS compliance stands for Payment Card Industry Data Security Standard, which lays down a set of safety specifications that all companies that “accept, process, store or transit” card data must follow.
ID frauds and shell companies
Interestingly, Shah claims that fraudsters in India are setting up payment gateways in foreign nations such as USA in order to make illicit card transactions to steal money. Alarmingly, the process and price for it is not even high. He says, “People are creating shell companies, basing them in foreign nations like USA. These are often authorised with IDs of people who may never travel internationally in their lifetime, such as office clerks. In order to use their IDs, they are simply paid a one-time fee of Rs 10-15 lac, and that’s that. Then, they take a payment gateway in that country, which generally offers 2D authentication.” He further states that even card cloning, a seemingly dangerous technique, is quite easy to obtain, and costs fraudsters as less as just Rs 3,000 per card.
The balance of card transaction safety, hence, seems precarious. Shah states that India’s only saving grace is RBI’s stringent guidelines on 3D payment authentication, and the ruling on banks to close fraud transaction complaints within 90 days. “The only difference is that non-OTP, 2D payment gateways are difficult to obtain in India, and are only given to high trust vendors, which makes it slightly safer here.”
Mishra, however, counters by stating that a section of cards themselves in India are unsafe as they still use magnetic strips in place of the more secure EMV chips that are mandated now by the Reserve Bank of India. Despite the mandate, a Times of India report from April 2019 stated that almost 20 percent of all debit cards in India are still magnetic strip-based. “Europe, meanwhile, has already deprecated magnetic strips in favour of the more secure EMV chips or NFC-based cards,” Mishra concluded.