Tag Archives | data

Beware the security risks before you jump onto digital payments bandwagon

Deficit in cash flow has forced users into digital payments. Without proper precautions and security policies, the highly reactive nature of cyber security leaves us vulnerable to cyber-attacks.

chaiwalla-paytmImage source: DNA India

The whole demonetization of currencies has shaken our country to its core. In the past week, we saw how it affected people at all levels and how they were coping with it, hoping for the better in the near future. While the challenges still persist, it has nudged people towards digital transactions even for their daily needs using virtual wallets, PayTM and others. Companies that enabled digital payments acted as buffers soaking up some of the pressure. In fact, there was a surge in digital payments hitting records high over the past week; PayTM saw a 200% increase in its mobile application downloads and a 250% increase in overall transactions. MobiKwik saw an increase of 200% in its application downloads within few days. Other companies within this domain such as, Oxigen and PayU have also seen a rise in their service usage.

Resultant trend maybe vulnerable to security threats

This new trend is certainly heading in the right direction towards digitization, however there is risk of casting a blind eye towards the security aspect in the whole process of adapting to this digitized lifestyle. The Nordea Bank Fraud incident that occurred in 2007 is a classic example of e-banking cyber-attack, where perpetrators infected unsuspecting customers’ systems with a malware that stole login credentials, and made off with over 1.1 million US dollars. Not even major financial corporations like VISA, PayPal, and MasterCard are invincible from cyber-attacks.

The security standards and precautions have certainly evolved since these high profile attacks. But the speed of technological developments and its integration into our economy far supersedes that of the defense mechanisms and protocols in place to mitigate any cyber-attack on these developments. It goes to show that they are unparalleled and reactive in nature which ultimately begs the question: Is it safe to utilize these new payment platforms?

PayTM for instance is certified under the Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard set by American Express, Visa International, MasterCard Worldwide and few other international dealers. This is an essential certification for companies that store credit-card info. PayTM also uses 128-bit encryption technology to crypt any information transfer between two systems. It takes more than 100 trillion years for a hacker to crack a password under 128-bit encryption. Needless to say, transactions via PayTM are fairly secure. Other companies like MobikWix also employ the 128-bit encryption technology. This is a common security measure that companies dealing with credit card information and transactions deploy, hence there is little doubt that companies taking advantage of demonetization are employing their share of precautions for secure transactions.

Is that secure enough?

But, these precautions won’t make us invulnerable. There are other things aside from the login credentials that hackers target these days. For example, just few days back, hackers breached a British mobile company, Three Mobile’s database and stole private information on six million users. Another example is the recent massive data breach of Indian bank networks that compromised over three million users’ financial data. The breach occurred between May 25 and June 10, victimizing major banking companies, including HDFC Bank, ICICI Bank, YES Bank, and Axis Bank. This stolen data can be sold underground, used for identity theft, or strengthen brute force attacks for further personal attacks.

These breaches may appear sophisticated, but there are other easier methods that anyone with basic IT skills can deploy. For Instance, here is an article by a hacker displaying the html code on how to fake the PayTM website. Using a spoofed site, a hacker can use phishing tactic to gain login credentials from unsuspecting users. Other tactics include fake mobile applications or spyware that steal information, social engineering tactics that make you reveal your login credentials, etc. This is nothing new however; spoofing, phishing, and spyware have plagued the IT security industry for more than a decade, with their tactics getting increasingly sophisticated.

But, if companies like HDFC and ICICI, which are most likely proactive in updating their security systems, still experienced cyber-attacks, what does that imply about unsuspecting users? Most new users were forced onto the digital payments bandwagon due to the currency demonetisation. Especially street-vendors, who were primarily reliant on cash payments before the demonetization, such as the Chai-wallas and Pan-wallas that were quick to adapt so as to maintain their revenue. Are these new users aware of the security risks involved here? I highly doubt it. Even if they are aware of the risks, whose responsibility is it and what precautions can they take to minimize damage from future attacks?

Whose responsibility is it?

It is not a single entity’s responsibility. Everybody involved in the process, including companies offering the service, the customers, and the government should do their share to mitigate cyber-attacks and minimize its damages. The following is a three pronged approach for companies, customers and the government to mitigate security risks:

digital-payment-risk-management

Companies

All companies that offer platforms or services enabling digital payments should, first and foremost, increase awareness of the risks among their customer base and educate them on ways to secure themselves. Employ behavior analytics and pattern analysis at their fraud departments to predict suspicious behavior. Stay proactive in looking out for any spoofed applications or websites that masquerade their service. Proactively monitor discussion boards, social media platforms, and forums that discuss hacking and fraud tactics, and implement proactive measures to thwart their tactics.

Government

The Government should also do its share to protect its citizens by minimizing vulnerabilities. It should check if the current policies regulating this platform are adequate, and update it if necessary. Educate the populace on the risks involved. Enforce strict policies and hold companies accountable for not meeting security standards. Minimize benefits that come from overlooking security precautions. And, strengthen public-private partnership on live information sharing about cyber-attacks and fraud.

Customers

Customers should do their share to minimize damages. They should educate themselves about the risks involved, and take appropriate precautions. Minimize vulnerability with two-factor authentication and routine password changes. Check for applications’ authenticity by looking for the number of downloads and reviews by other users; the higher the number of downloads and reviews are, the higher the chances that the application is legitimate. In addition, check for other application releases from that developer. Check for website’s authenticity by checking for proper spelling of the web address, or if the website is secure by checking for a green padlock symbol on the left to the web address, and that the address starts with ‘https:’ Keep the web browsers updated as they can recognize illegitimate sites easily. Do not share sensitive information including login credentials over emails, phone calls, or chats. Lastly, trust your instincts and double check to make sure you don’t leave yourself vulnerable.

Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution

Comments { 0 }

Making Sense of India’s Latest GDP Figures

The new methodology to compute India’s GDP numbers is more comprehensive, accurate and in tune with international standards

The Ministry of Statistics came out with India’s GDP growth rate figures for the fiscal year 2013-14. Much to everyone’s surprise, the growth rate came out at 6.9 percent, much higher than the anticipated 4.7 percent. The 2.2 percent difference baffled everyone, including the RBI governor Raghuram Rajan, and the Chief Economic Advisor Arvind Subramaniam. The difference has raised a lot of questions and invited skepticism from both within and outside the government. Business newspapers have claimed that radical changes have been introduced in computing the GDP numbers, which explains the more positive numbers.

The Central Statistical Organization has introduced two big changes in computing GDP numbers: base year revision and using GDP at market prices. Before going into the technical aspects of these two changes, it should be mentioned that neither change is radical. The first of them is the change in base year from 2004-05 to 2011-12. The changing of the base year is a rather routine exercise carried out by the statistical offices around the world. In India, the base year has been changed numerous times and will henceforth be changed once every five years[1]. The other change is the adoption of a universal standard: that of using market prices instead of factor costs to make the GDP computations. This is mainly done to keep India’s numbers comparable with the rest of the world.

BASE YEAR CHANGE

Base year analysis is mainly done to eliminate the effects of inflation and to give a more meaningful picture of the data. GDP measures the sum total of all economic activity within a country. This monetary value is first calculated in nominal terms or at current prices. It is then adjusted for inflation or the changes in the general price level over time and is thus, expressed in terms of the general price level of some reference year, called as the base year.  To make this slightly clear, assume that a country is producing only one commodity, say books. So, the GDP of that country would be the total quantity of books produced times the price of the book. Changes in the nominal value of the book over time can happen either due to a change in quantity or a change in prices. Change in real values captures only the change in the quantity of books produced.

Choosing the Base Year: Almost any year can be chosen as the base year, but ideally it should be a recent year to give a more meaningful idea. Since the index number of any series is set to 100 for the base year, it should also be relatively normal. Normal here means the absence of any large aberrations and upheavals in the economy (like extremely high inflation rate or an economy wide downturn).

The base year that was previously used in India was 2004-05. However, since then, there have been significant structural changes to the economy (as in any 10 year period) and a new base year had to be chosen to reflect these changes. The CSO has chosen 2011-12 as the new base year.

GDP AT MARKET PRICES:

The bigger change that has been adopted by the CSO is the change from calculating GDP at factor cost to GDP at market prices. GDP at factor costs is a measure of national income that is based on the cost of factors of production. It is essentially looking from the producers’ side. It does not include the indirect taxes paid by the consumer but includes the subsidies given by the government. GDP at market prices essentially looks at economic activity from the consumers’ angle. It measures GDP at the last step of the transactions, which is the market price paid by the consumer.

It is clearly visible that GDP at market prices is always bound to be higher than GDP at factor cost. Removing subsidies and adding indirect taxes adds a significant part to the GDP numbers (as much as 7% in 2012-13). Thus, moving to GDP at market prices was always bound to give a different number.

Table showing the difference in GDP at factor cost and GDP at market prices (in Rupees trillions)

GDPnumbers

(Source: RBI Database on Indian Economy)

The Growth rates show a significant discrepancy as well. Look at the difference between the two approaches in 2008-09 and 2010-11.

growthrates

(Both tables are based on the previous base year 2004-05).

The move to market prices can broadly be seen as a good move in terms of being comparable with world standards. IMF, World Bank and various international databases apart from the statistical organizations in different countries use the market prices measure. Market prices are usually a more comprehensive measure and give a better picture of economic activity. The CSO has also decided to include a range of previously not included sectors and activity. They have covered more sectors, more amount of financial intermediation, revision of labour activities, then also looked into the organized sector and the unorganized sector activity. It has also expanded its coverage of manufacturing and included under-represented sectors and data from the corporate database of the government in arriving at the growth figure. Overall, economists and statisticians would agree that the changes in the data measurement approaches are in a positive direction. A case in point is a statement by former CSO chief Pronob Sen “What has happened when we moved to the new base year is we’ve actually got better data. Basically if you look for instance in the corporate sector, we were earlier going with the RBI forecast and which were based on 2500 corporates. This time around we are using the MCA21data base which is five lakh companies as compared to 2500. So the quality of data has improved”.

 

However, the skepticism from different corners comes from the fact that the higher GDP growth numbers do not quite tie in well with numbers from other leading indicators of economic activity. For example, Index of Industrial Production numbers are down, so is the rate of gross fixed capital formation (investments). To bridge this gap and understand the discrepancy, we will have to wait a bit longer and wait for the revisions in the data of the other indicators, but for now, there does not seem to be much reason for complaints against this move by the CSO.

 

[1] The base years of the National Accounts Statistics series have been shifted from 1948-49 to 1960-61 in August 1967; from 1960-61 to 1970-71 in January 1978; from 1970-71 to 1980-81 in February 1988; and from 1980-81 to 1993-94 in February 1999. Thereafter it was changed to 2004-05 in 2006.

Anupam Manur is a Research Associate at The Takshashila Institution

Comments { 2 }