Security risks high in mobile payment systems: study

Security risks high in mobile payment systems: study

Security risks high in mobile payment systems: study

Mobile phone-based wallets and payment apps gaining popularity in India are highly vulnerable to breach of confidentiality, according to a study.

The risk is high in all systems except one, according to the Centre for Software and IT Management at the Indian Institute of Management-Bangalore, which conducted the study.

Led by Prof Rahul De of the centre, the study assessed mobile wallets such as Paytm and Freecharge, apps linking to bank accounts such as BHIM (Bharat Interface for Money) and PhonePe, bank apps for account holders, and USSD (Unstructured Supplementary Service Data), a protocol used by GSM phones to communicate with commuters. It found USSD the least vulnerable. The researchers evaluated the systems using risk management principles enunciated by the Basel Committee on Banking Supervision and the RBI.

Security risks are highest when a user misplaces a phone, allowing access to records of previous transactions, the study concluded. Paytm enjoying access to one-time passwords sent by banks is a potential risk, the study warned.

Observing that Paytm and Freecharge do not log the user out automatically, the study said this leaves room for unauthorised usage. The wallets allow third-party vendors like Uber and Big Basket to deduct money from an account without explicitly seeking the user’s consent, the study said.

The government-launched app BHIM takes up to two minutes to confirm a successful transaction. For a failed transaction, it takes up to 10 hours to notify the user, according to the findings.

“However, even while we were conducting the study, we observed that the features of the apps and services were constantly evolving and changing,” De said in a statement. The evaluation was based on a study conducted between December 16 and January 17.

“It is likely some of the concerns presented in this report have been addressed, and perhaps new concerns have emerged,” he said.

Deepak Abbot, senior vice president, Paytm, responded to the study, saying, “We do not store any confidential data, including SMSes sent by banks, from the user’s device.”

He advised users to activate the app lock feature, and cited enhanced user experience to defend the absence of automatic locking.  Paytm allows transactions without OTP only in the case of two companies, Zomato and Uber, and they are “responsible companies”, he said.