Finschool By 5paisa

FinSchoolBy5paisa

Is India's Fintech Fast, Furious and Fraudulent

By News Canvass | Feb 26, 2024

Fintech and India

The pandemic has given rise to greater adoption of financial technology or “fintech”. As a result, the “Fintech Revolution” has begun, with solutions designed to help companies, business owners and consumers better manage their financial operations, processes, and lives. Unfortunately, this increase, and increased frequency of digital transactions, has led to higher rates of fraud occurrence and loss.  In particular, identity fraud and security issues are impacting the fintech industry and creates a sense of urgency to develop new prevention methods for the industry.  

One of India’s largest hospitals, the All India Institute of Medical Sciences (AIIMS) in New Delhi, was hit by a ransomware attack in November 2022. The attack cut off access to approximately 1.3 terabytes of data and impacted the hospital’s electronic medical records system. Its patient scheduling and billing systems were also affected, forcing the hospital to curtail its outpatient services for several days. Not only did it inconvenience patients, it also resulted in substantial financial losses for the hospital. After this incident, AIIMS strengthened its network by switching to a dedicated and secure local area network, among other security measures. Six months later, when another malware attack was mounted, it was thwarted. This isn’t an isolated incident. Such instances are rising across both government and private enterprises. Data from Indian Computer Emergency Response Team (CERT-In) reveals that India Inc. encountered nearly 1.4 million cyberattacks in 2022, and among these, attacks on cloud systems were the highest.

But Why The Cloud?

As businesses increasingly adopt cloud-based solutions, cyber criminals—who are constantly looking for new vulnerabilities to exploit—are finding it easier to engineer data breaches, explains Rajesh Garg, EVP, Chief Digital Officer & Head of Applications & Cybersecurity at data centre service provider Yotta Data Services. Around 98 per cent of organizations globally now utilize some form of cloud-based tech, while many have adopted multi-cloud deployments from multiple cloud service providers. The massive adoption of the cloud environment has also given rise to Shadow IT, where employees or departments use hardware or software from external sources without the knowledge of the IT or security group of the organisation. This creates a vacuum, where the responsibility of managing security within organizations is not clearly defined.

Unravelling The Attacks

  • Primarily motivated by financial gain, recognition and visibility, espionage, geopolitical reasons, etc., cyber intruders usually target industries that have large-scale manufacturing or sales operations, or those that deal with sensitive personal information, such as hospitals and financial services firms, or those that run critical infrastructure, such as power plants, and transmission and distribution companies, among others.

Securing The Cloud

  • Enterprises should focus on fundamental security policies and procedures necessary to protect their systems. To begin with, a configuration management database is imperative, with visibility into who has access to what and whether access is being monitored and audited. Running vulnerability scans and developing a plan to address those vulnerabilities is also critical, along with identifying end-of-life/end-of-support technologies.
  • The model involves implementing the principle of least privilege, risk-based authentication built on network segmentation, continuous monitoring for signs of attacks, and active defence mechanisms. Businesses should also conduct regular security assessments and penetration tests to identify vulnerabilities.

Is India Prepared?

  • A lack of awareness among enterprises plays an integral role in companies not deploying sufficient security measures for their IT systems. Sundar Balasubramanian, MD of Check Point Software Technologies, India & SAARC says, “Limited awareness, budget constraints, misaligned priorities, trust concerns, and compliance requirements are some potential reasons for companies hesitating to invest in cloud security.” He adds that raising awareness among companies around cloud security risks, offering cost-effective solutions, building trust in service providers, and ensuring compliance with regulations are crucial.
  • Fintech firms that give apps to consumers and QR codes to merchants ensure speed by putting their computing operations in the cloud, where activity can be scaled up quickly without having to invest in on premise servers. However, at the two bookends of any transaction, there are deposit-taking institutions, one for the payer to send money and the other for the payee toreceive the funds. They’re trying to cope with the surge in volumes with core banking software running on IBM mainframe computers. 
  • The lack of a data protection law also hampers cloud security. The “average spending on cloud security in India among large-cap companies, SMEs and start-ups ranges from $1-5 million, $100,000-$1 million, and $50,000-$100,000, respectively. It can be difficult for companies to know what they need to do to protect their data when there are no clear regulations and guidelines. “This can lead to complacency and a lack of investment in security measures.”
  • However, recent advisories by regulators and government agencies have reiterated the need to deploy robust cybersecurity measures and incident response systems for everyone from mainstream organizations to emerging fintech companies, start-ups and SMEs. Whatever the reasons, it is only by adopting a comprehensive cybersecurity approach that organizations in India can mitigate risks, safeguard sensitive data, and ensure the resilience of their digital infrastructure in the face of an expanding threat landscape. The RBI has tried to license nodal-account operators as payment aggregators, so it can have oversight on these fintech firms. Still, no matter what it does, the regulator may always find itself a little out of touch.
  • Three fundamental sources of infirmity need fixing. First, the know-your-customer process needs a more solid underpinning: If Aadhaar is here to stay, it must be made credible and secure. Second, 40 per cent of payments are digital, but they have their origin and destination in a banking system that earns very little from it. Since most UPI transactions are free, traditional lenders have little incentive to shorten their technology-upgrade cycle. Third, the National Payments Corporation of India, which runs the UPI, is a monopoly. What is fast and furious will inevitably be more than a little fraudulent as long as the country’s preferred system for moving money online is devoid of fair charges — and free from competition.
View All