The new India Post Payments Bank will take banking to the doorstep by using India's mammoth network of post offices. Postmen will perform digital transactions on their phones. That's raising concern among security leaders, who recommend adopting defense-in-depth security.
The new bank is designed to serve a largely low-income population with little banking experience, muchless experience with mobile or online technology. So these customers are particularly vulnerable to social engineering.
"They are most prone to threats, including remote exploits (network-based attacks), phishing, ransomware and cyber-espionage," says Aditya Khullar, technical leader-cybersecurity at Paytm, a e-commerce payment system and digital wallet company. "Malicious users may attempt unauthorized access through hand-held devices, too."
As a result, many security practitioners recommend the bank implement new, strong authentication methods and develop a security team.
Banking Service for the 'Unbanked'
India Post Payments Bank is incorporated as a public sector company under the Department of Posts with 100 percent government equity; it's governed by the Reserve Bank of India.
IPPB, under the ministry of communications, enables three lakh postmen and Grameen Dak Sewaks, or postmasters, to digitally deliver financial services.
At the launch in Delhi this week, Prime Minister Narendra Modi said: "The growing pace of technology in communication threw a challenge, and we used technology as a base to turn that challenge into an opportunity to convert postmen into bankers delivering financial services to the rural sector."
IPPB will be available through 650 branches and 3,250 access points immediately, scaling to all 1.55 lakh post offices by December 2018.
IPPB accepts deposits up to Rs 1 lakh and offers remittance services, mobile payments/transfers/purchases, debit cards, internet banking and third-party fund transfers.
Communications Minister Manoj Sinha says deposits above Rs. 1 lakh will be automatically converted into post office savings accounts. "The bank is permitted to link around Rs. 17-crore postal savings bank accounts with its own setup, including 1.4 lakh bank branches, nearly 50,000 of them in villages, which face a challenge reaching the 'unbanked'," Sinha says.
Security in Question
Suresh Sethi, managing director and CEO of India Post Payment Bank, says in an interview with Livemint: "There is a lot of focus in ensuring all RBI guidelines regarding establishing the bank are met, including creating the right customer-facing processes and compliance with end-of-day balances."
He adds: "We are giving postmen smartphones, on which a mobile agent app will be installed, and a biometric authentication device, all connected on a real-time basis with our core banking system. It will meet stringent RBI guidelines to ensure each transaction is online. We've invested in very high-end technology capability for ensuring our applications are simple, intuitive and leveraging RBI's payment and settlement system, which makes them affordable and helps take interoperable services to the last mile."
Singapore-based Tom Wills, director of Ontrack Advisory Pte. Ltd., a security consulting firm, says the new bank will face the same threats all banks face. "However, its new remote service delivery model using mobile devices carried by postmen needs special attention; it's practically guaranteed that fraud will be attempted from day one," he says.
"Biometric authentication will provide protection against hacking and many types of identity fraud, though not against social engineering (fraudsters persuading a legitimate user to send them money). No system in the world is able to stop that because it's a human, not technical, attack."
Dharshan Shanthamurthy, founder & CEO at SISA Infosecurity Pvt. Ltd., a payment specialist firm, says: "Regarding postal payments services, if biometric authentication is placed as an additional factor, not as a primary factor, it can contain fraud risks, as payment infrastructure is a very lucrative target for fraudsters."
The biggest challenge, says Mudit Rastogi, senior vice president-India and APAC at Aujas Networks, a managed service provider, is delegating responsibility for delivering services to those who are not technology savvy. The handheld devices that are critical endpoints for banking are prone to fraud, he adds.
K.K. Mookhey, CEO at Network Intelligence, a cybersecurity consulting firm, expects IPPB will face risks different from other banks, particularly if the networks of the post office and for banking transactions are not segregated.
Building in Security
IPPB will not require the use of debit cards. Instead, it will rely on issuing new QR (Quick-Response) cards that use biometric authentication, not passwords or PINs.
IPPB has already launched its app, which can be used for mobile banking and opening an Aadhaar-based account without visiting a post office, according to Live Mint.
Mookhey argues that IPPB needs to appoint a CISO to drive governance and implement a proper organizational structure for policy and process adoption. "It's a green field project, so it's easier to build security by design and ideally design the security architecture to address network, operating system, database and application security," he says.
Khullar believes IPPB should focus on ensuring defense-in-depth as it builds the infrastructure. "Known as layered security or layered defense, it describes the practice of combining multiple mitigating security controls to protect resources and data," he says.
Rastogi supports Khullar's argument for a layered security model with multifactor authentication which would help in establishing a secure transaction through handhelds.
"IPPB should have an in-house cybersecurity team ... to enable thwarting attacks/exploits proactively," Khullar recommends.
Ideally, IPPB should use multimodal biometrics, Khullar says, using more than one characteristic feature, such as fingerprint and facial recognition, or capturing multiple sets of the same trait through different sensors, enabling stronger, foolproof authentication. "Combining individual measurements - called biometric-fusion - increases robustness," he says.
Ontrack's Wills says IPPB should build a security ecosystem, segregating the bank network into back-end and front-end. "The back-end, operated within the bank's enterprise IT environment, will be secured just like any other bank back-end," he says. "The front-end is what's new, with mobile devices being carried by Grameen Dak Sewaks and postmen.
"Special attention must be paid to securing transactions and sensitive personal data across the global system for mobile communication and mobile network, and in the devices themselves. Transaction security here is addressed by biometric + QR code reading process, and, I would assume, encryption of transaction data as it travels across the network. Security of the device itself is not discussed, but it must consist of access controls (usually a PIN) plus addressing the special requirements of mobile application security, such as preventing fake apps from being created and downloaded and preventing any malware on the device from accessing the mobile app."