Vivek Gupta, DGM & CISO at Allahabad Bank, speaks on key security challenges facing banks today:
Manoj Agrawal: Many mobile wallets have been designed in a hurry with inadequate attention to security? What percentage of the mobile wallets out there do you think are adequately secure? What do you expect this percentage to be in 1 year?
Vivek Gupta: Most of the mobile wallets were hurriedly developed to capture the market and focus was on customer convenience, rather than application security. In many cases, even proper testing was not carried out by taking possible use cases.
It was also observed that same software developer was providing software to many banks/ wallet service providers and they all carried similar security weakness and programming flaws. At the time of first launch of various mobile wallets, I estimate that about 70% wallets had security concerns and compromise in one or the other case.
However, later on with stringent mandated security audits, the situation has totally changed. The growth in wallet service providers and end users has grown up tremendously. In the next one year, I estimate that about 80- 90% mobile wallets would be running without intrinsic security risks from operations point of view, except for individual cases of loss of mobile or social engineering/vishing attacks, sensitive data leakage due to user’s compromised mobile or withrogue apps and also not taking into account the risks at wallet service providers for user data etc. Therefore, lot of success of the system depends of user’s security of the mobile device, carefulness & hygiene use and also security in storing of sensitive data at respective aggregation points of wallet service providers.
What do you think are the most common vulnerabilities in mobile wallets?
As mobile wallets are customer centric utility, available over very large numbers of mobiles, a robust and all-round testing was required, before the actual launch. However, this gap was addressed by many curious vast size users and some of them defrauded also!
In fact, there are many issues with security, sensitivity, individuality, privacy, lifecycle, ownership, distribution, location and legality of data at individual, corporate, society and government levels. Mobile wallets also face this challenge.
There should be a central agency to approve the security and programming completeness, with through security code testing, application testing, network testing, variety of devices/platform based testing with all possible use cases, so that not only the functionalities, performance, proper cross boundary integration is ensured but proper configuration and security is also ensured. Therefore, there would not be frequent changes in the programs and society & regulators will have better confidence in system.
As digital wallets are designed for quicker usage and limited risk, it is necessary to use device finger printing, compulsory OTP, first debit and then credit approach, proper handling of success and error codes across all participants, protection in case of stealing of mobile, good customer complaint handling mechanism, reporting of errors or problems directly to banks’ concerned teams, use of online fraud risk management solutions.
Since, loading of cash is made easy, the wallet service providers are storing debit/credit card numbers at their end and only CVV is required to be inputted. Therefore, maintaining required level of confidentiality and encryption at their end is a challenge. Stringent and frequent monitoring/ audits & quick compliance is necessitated at their end.
Similarly, if the mobile is ‘rooted’ or ‘jail broken’, the passwords stored in these devices should be definitely taken as compromised. Therefore, testing and ensuring minimum level of device hygiene (use of patched/ latest OS, not using any rogue apps, use of some reliable mobile antivirus, use of VPN during wifi connection etc) and proper authentication of the legitimate user is the need of safe digital wallets echo system.
Second factor authentication is not required in some of the mobile wallets. Most of the mobile wallets in India are not using hardware level security i.e. verification of device ID, phone manufacturer signature, android version in the phone, root kit of the operating system, location and time. Mobile wallets are not checking presence of virus/malware in the mobile phone and issuing alert to users. OS of the mobile is not properly segregated from the user data i.e. compartmentalization. Furthermost of the Mobile Wallets are not checking, if the customer mobile is rooted or not.
Loss of mobile, social engineering/ vishing attacks, sensitive data leakage due to user’s compromised mobile or running with rogue apps are serious issues of concern.
Also, there are serious risks involved at wallet service providers, if the user data is not properly secured. Therefore, the wallets should not store any user sensitive data at their end specially for credit/ debit card details and the same should be accessed from a third-party payment gateways kind of set up with appropriate security, mobile wallets service providers are still growing at a fast pace.
The end users’ security of the mobile device, carefulness & hygiene use of apps and data are very important for security of mobile data. Deletion of all data and passwords, when discarding a mobile or wallet or giving mobile for repairs is another area of concern for Mobile Wallets, as well as other sensitive data on mobiles.
Mobile wallets have not been adequately hardened; therefore, they are prone to cyber attacks and possibility of impersonation by fake users, as no verification is required except for mobile number confirmation. For third party transactions, customer information may be shared in plain text. Wallet database on mobiles may be easily exploited.
Compliance of KYC at some early stage, even for low value usage of wallet should be made compulsory. It can be incentivized also, as the usage of mobile wallets is seen frequently incentivized.
What are the areas of security management where you insist on CISSP certification? What is the availability of people with this certification? Does your organization prefer to have employees or external resources for this requirement?
Network security is presently the key area for need and ample benefits of CISSP certification. This covers management of core routers, core switches, firewalls, IPS/ IDS, HIPS and other network – cum security management. Overseeing VLANs, security, permission for newer services, ports, opening or blocking various IPs, handling security incidents, specially falling in network or cyber domain and related forensics are the major area of benefits from CISSP knowledge and certification.
There are very few internal CISSP certifying officials and we compensate the same with presence of qualified and expert outsourced support engineers and also in external security audits, as a pre-condition basis. However, the bank prefers more CISSP certified internal officials and the bank has also a suitable reimbursement cum incentive program for new aspirants.
What are the key activities for a CISO when a new CXO level person enters the organization?
When a new CXO level person enters in the organization, he/she needs to integrate and to be enabled on all required privileges of access for data/reports. The communication within and outside the world with concerned officials through official channel, like email, telephone and mobile numbers, remote login to authorized applications/ systems is also very important. The new incumbent CXO would also be provided with electronic devices, to be used inside and outside the network/ premises. The new CXO is a responsible, authorized and privileged user in the organization.
Therefore, the CISO is required to ensure that new CXO is provided with the all the access, rights, user Ids, software/ hardware tokens, devices, data, licensed programs etc with appropriate level of security; ensuring the required level of confidentiality, integrity, availability, privacy and non repudiability; as per the IS policy and extant good practices. The CISO is also required to ensure that any weakness or breach of security should not take place, due to any probable incorrect use of facilities by the CXO.
The CXO should also be provided with details of best practices of IS in the organization, a copy of relevant policy and procedures, dos & don’ts in IT security domain as a user or privileged user. The CISO should help the new CXO to ensure that all the passwords are changed, as per the policy and the CXO is comfortable with operations at his/ her level pertaining to usages.
While enabling the new CXO with access, programs, data, devices etc, the CISO should document the same with checklist provision ensured for security and privacy for all the assets/ rights/ privileges enabled and it should also be signed off by the CXO, on record, for any future reference.
The CISO should also explain suitably to the new CXO with status of Security, running Security Projects, future plans etc so that the new CXO not only like to appreciate the good work undertaken for security, but can also extend required help in implementing information security and related projects in the organization.
