The digital payments in India have witnessed a stupendous growth in recent years. The recent growth in volume of digital payments by a factor of 10 over five years has set an ambitious target of an additional growth of 10x in the next three years, the RBI reported. India witnessed a whopping 552.26 crore digital payments in March, over forty-percent of which ensued from the imposition of nationwide lockdown. While the digital transactions promise a four-fold increase from December 2018 to December 2021, the concerns surrounding their safety and security appear to simmer and for a good reason.

Online fraudsters have been making the most of the lockdown, suggests a report. Recent uncovering of the specious UPI-ID of the PM-CARES – pmcare@sbi instead of pmcares@sbi – bespeaks the sorry plight of the government, leave aside the citizens. Lack of vigilance in such cases and turning a blind eye to shortcomings in the system may lead to a point of difficult return. We need a vibrant, robust ecosystem that addresses the safety concerns of the Indian populace surrounding the digital transactions.

As prevention is better than cure, to quell the stemming of fraudulent incidents across the country, an approach should be adopted that seeks to prevent the betiding of such incidents than remedying the harm done. Currently, the RBI mandates usage of 128-bit SSL (Secured Socket Layer) which ensures server authentication and use of client-side certificates issued by the bank itself using a certificate server. This ensures secure browser to web server communications and encryption of sensitive data like passwords, which inhibits third-party access to such sensitive information. The SSL is a trusted and safe mechanism to shield consumers and banks against cyberattacks, it is still, to some extent, susceptible to malicious intrusions.

A resilient mechanism developed to counter such intrusions and filling the voids of the SSL, is the PKI (Public Key Infrastructure). It minimizes the risk of malicious intrusions by issuing a public client certificate signed by a trusted authority to the consumer. This certificate, duly signed by the trusted authority, is known to the server. Whenever an attempt is made to access the server, the certificate of the person attempting to access is verified and the access is denied if this certificate does not match the duly signed certificate, thereby limiting the chances of malicious intrusions.

RBI hasn’t mandated usage of the PKI, despite it being the most favoured technology for secure internet banking services, because it is not commonly available. It is inescapable for fortifying the ecosystem of digital transactions that the access to technologies alike the PKI is made feasible.

Signalling System 7 (SS7) is a signalling network used for exchanging data between network devices in telecommunication networks. While this standard was being developed, only fixed-line telecom operators had access to the SS7 network, so its security was not first on the priority list. Today the signalling network is not isolated, and this proffers an intruder the opportunity to exploit its loopholes and intercept calls and text messages, bypass billing and steal money from the mobile accounts.

Although the new 4G networks employ another signalling system named ‘Diameter’, the SS7 security issues have not been obliterated, because mobile operators should ensure 2G and 3G support and interaction between networks of different generations. Furthermore, research suggests that Diameter is prone to the similar threats, with 78% of the networks being prone to fraud.

Faults in these signalling systems cannot be eliminated using existing tools. Only a holistic approach that combines security analysis, network setup maintenance, consistent monitoring of signalling traffic and timely detection of suspicious activities can ensure a higher level of protection against the fraudsters. Therefore, while it is advisable that the banks proffer prompt grievance redressal mechanism and limit the liability of the consumer in online frauds, it is more desirable that they comply with the sterling standards than merely restricting themselves to the minimum requirements promulgated by the RBI.

Poor tech-literacy amongst the masses, specifically the elderly and the children who fall an easy prey to such dupes, should also be acknowledged lest serious implications start surfacing.As the times have marched and the orthodox concept of literacy does not fit the needs of the society, imparting the tech-education is of supreme importance. For a comprehensive development of the ecosystem, it is necessary to trace parallels than divergences between the trajectories of tech-infrastructure and tech-literacy.

Another issue of grave concern is the Information Technology Act, 2000 which has not kept pace with the changing times. As the mankind has set-forth to the ambitious endeavour of contactless transactions, it is high time that we have adapted the language of law to the new conditions and rejected the old principles.

With voluminous growth of digital transactions, a vibrant ecosystem, tech-literacy and appurtenant amendments to the legislations have become critically important to the functioning of the economy and must be shielded as one. The RBI has undoubtedly been proactive and has shown commendable performance for maintaining the security framework for the banking institutions. It is recommended that the parliament too takes an active stance on the issue by introducing the required amendments and making the desired technology feasible. Here comes the FinTech Revolution!

---

ABOUT THE AUTHORS

Aayush Panwar

Aayush is a second-year student of Gujarat National Law University, Gandhinagar. He is an ardent reader and keenly interested in Banking and Commercial Laws. He can be reached at aayushpanwar1209@gmail.com.

Satyam Bharadwaj

Satyam is a second-year student of Gujarat National Law University, Gandhinagar. He is a motivated socio-economic-cum-legal reform champion with a comprehensive knowledge of social justice issues. He can be reached at satyambharadwajinfinity@gmail.com.