Fintechs A.C.T. on Security Threats
Fintechs have adopted multiple measures to combat security threats. Among them, the 3 key ones are Analytics, Controls, and Technologies (A.C.T.)
Anand Kumar Bajaj
Recent reports indicate that India has one of the highest numbers of internet users in the world, and it is also among the top 10 countries facing cyberattacks. Cybersecurity issues are not limited to hacking and money-related frauds but they have become a threat to national security as well. Technology experts are confident that the new cybersecurity bill will be a game-changer, especially for the BFSI industry.
As per Acronis Cyber Readiness Report 2020, as much as 56% of the Indian companies have increased their IT spending significantly in the past months, nearly 2 times the global average. The challenge for organizations is that managing the protection of data across the company network and all those new devices using a stack of different solutions is expensive, time-consuming, and complicated. The lack of integration also creates gaps in the organization’s defenses and cybercriminals are exploiting it.
Banking Frontiers queried technology experts from new-age insurance, fintech, and insurtech companies about the type of fraud they faced during the lockdown, technical and non-technical initiatives taken by them, awareness activities for employees and customers, etc.
Trending Frauds
The main concern of payments services provider PayNearby during the lockdown was the threat of individuals claiming to be representatives of the company or posing as customer care executives and getting customers to divulge sensitive information. Anand Kumar Bajaj, MD & CEO at PayNearby, says that the company’s employees are currently working from home, and browsing any restricted sites may lead to company laptops getting infected with malware. The other challenge, according to him is that in case of any DDOS attack, server lock, or power outage problem, there is no option but to visit the main office or data center for a resolution. Because of the ongoing pandemic, that can be a significant inconvenience.
Vishal Shah, Head of Data Sciences at Digit Insurance Company, confirms that the company has faced impersonation frauds, misuse of the system, data access rights, and phishing attacks during the lockdown period.
Bibhu Krishna
Bibhu Krishna, Head – IT & Infra at Policybazaar.com, shares the list of frauds faced by the company: “Because of covid, people have started working from home and the parameters of security have changed. Now, the network is the internet. We have faced attacks on our application, a lot of phishing attacks on the domain, email, etc. We were not ready for WFH when it was started in March, so we have enabled whatever we can to continue our business activities. We have allowed our team members to use their devices for official purposes. This was also a threat to us.”
Bibhu Krishna, however, feels things have improved from March to August. The insurtech company is also facing threats from other similar companies as they are copying its website content, domain, and other things that Policybazaar.com does Technologies & Partners Most of the companies are PCI-DSS certified to ensure that all transactions are done through a secure network in compliance with Payment Security Council standards and ISO 2700 certified international standards to manage information security.
Digit Insurance has implemented single sign-on, secure tunnels, and communicated the latest security information to its employees and customers. The company’s technology partners are Forcepoint for DLP, Trend Micro for endpoint security, and Cisco for network security.
Policybazaar.com has taken several technology initiatives to ensure cybersecurity like analytics and system tools on a monthly cycle for cybersecurity. Avast Antivirus, Akamai Technologies, and Check Point Software Technologies are its key technology partners.”
PayNearby too has undertaken quite a few precautionary measures to counter cyber frauds during the lockdown. It has strong access controls with maker-checker restrictions to ensure that multiple people are involved in processing a transaction. Access to critical systems is restricted to VPN-only solutions. Direct access to the production data center is disallowed even via a VPN.
Vishal Shah
Anand Kumar Bajaj provides details: “We have moved all key personnel to Virtual Desktop Interface, or VDIs with strict installation controls so that they are not connected to the office environment. Open internet related work can be carried out on the office laptop while development/recon/tech support is only done via VDIs where internet access is severely restricted. Code deployment is done only via a ‘user’ rights cred in an automated manner to minimize the risk of transmission of malware from office laptops or the internet.”
Non-technical initiatives
In addition, tech companies have taken several non-technical initiatives to guide their customers. Policybazaar.com is educating and training its employees and customers about fraud. Bibhu says before covid, team members used to easily inform the authorities in case of any threats faced by them, restricting losses to the company. “But with WFH becoming a norm, our team members are scattered, it is difficult for them to reach the right person in case of a security threat. We have taken steps like alerting and monitoring in case of such occurrences.”
PayNearby is running an awareness campaign called ‘Swachh Transaction, Swachh Bharat’ with videos and posters in multiple languages urging our Digital Pradhans (retail partners) to be vigilant while conducting transactions. For the rural consumers who perform transactions at the company’s digital touchpoints, these videos create awareness about cyber fraud, reminding them that PayNearby retailers will never ask for their login ID, password, OTP PIN, or any sensitive information.
Awareness campaigns
Digit Insurance sends the latest information about cybersecurity to its employees regularly to keep them updated. Says Vishal Shah: “We create awareness among the users of our system about the policies, do’s & don’ts and best practices about WFH, strengths of our advanced threat protection systems, auditing of systems and application rights.”
Policybazaar.com has introduced online training sessions in their internal CRM system. Bibhu Krishna gives details: “We used to arrange cybersecurity manual training sessions in our office, but after WFH, scheduling the manual training sessions has become a challenge. We have introduced online training when our team members log in to the CRM system. Offline things have become online because of covid.”
He also shares the details about the awareness campaign: “We share the dos and don’ts like do not share your password, do not log in to public Wi-Fi, do not click the URL if you are not confident about it and we regularly educate our customers about it. Our information security campaigns are more textual, and there is less video content in them. It has been a learning curve for us, and I believe digital is the way forward.”
Anand Kumar Bajaj has the final word: “All of our campaigns help us to combat the menace of imposters who often impersonate retailers to dupe customers. Our communications reach our customers through the mobile application, web portal, YouTube, social platforms, and WhatsApp channels.”
