Payment companies should open up about breach allegations, says NPCI CISO

Digital transactions in India grew by 37% over the last year, according to Statista Research. The growth is drawing private equity and venture capital firms to the digital payment space: fintech companies raked in 14% of all VC investments in the country, the Indian Private Equity & Venture Capital Association says.

Cybercriminals too have been drawn to the digital payments space, leading to some high-profile data breaches. In January 2021, Juspay was hit with a massive security incident: close to 35 million customer accounts with masked card data and card fingerprints were breached. Three months later, 3.5 million customer accounts of digital payments major MobiKwik reportedly went up for sale on the dark web, although the company continues to deny its systems were breached.

Given the criticality of digital payments security, CSO Online sought the views of Antony Prakash, chief information security officer of National Payments Corporation of India (NPCI) to get a read on the current threat landscape, the biggest challenges faced by CISOs today, and what they can do to avoid the being the subject of the next wave of data breach news stories.

CSO Online: What are your thoughts on the current threat landscape in the digital payment ecosystem in India?

Anthony Prakash: The current threat landscape has evolved rapidly over the last year. There has been an abrupt change in the way organizations operate, which has resulted in the need to adapt and mobilize the workforce to adjust to the unprecedented situation.

The attack surface has increased as more people are working from home; data theft and breaches are on the rise, and threat actors are targeting the payment and banking industries vigorously. There has been a shift in the attack vectors employed by threat actors to exploit these situations. The major attacks observed recently have been initiated through identity theft, compromise of access keys, or spear-phishing attacks on senior business individuals. This has led to threat actors having unsolicited access to the confidential data sources and files which are critical to organizations.

The tactics, techniques, and procedures employed by attackers are becoming more and more sophisticated. The need of the hour is to move to intent-based monitoring, such as User and Entity Behavior Analysis (UEBA) and understand behavior patterns with the help of technologies like Network Behavior Anomaly Detection (NBAD), deploying endpoint security protection and the adoption of AL/ML based prevention and detection tools.

What have we learnt from recent massive data breaches, and what does NPCI recommend companies do to prevent future attacks?

One of the major learnings for startups is to be more vigilant in this interconnected world. Any data breach will have linkages to multiple financial organisations who work with them. Since lots of organizations are now setting up their IT infrastructure on cloud-based platforms, it is important to consider the security aspects of each function, from access management to log collection, to ensure the safety of customers’ data and their privacy. 

It is critical that companies secure their cloud infrastructure. Even the slightest misconfiguration in the cloud infrastructure can expose the entire environment to the internet and make it prone to attacks. It’s easier to obtain, set up, and manage infrastructure in the cloud. However, companies often forget that cloud security is the responsibility of both the cloud service provider as well as the cloud service consumer.

We recommend companies:

• be more strict and adapt restrictive policies for key storage and lifecycle management;
• regularize breach assessments and VAPT (vulnerability assessment and penetration testing)exercises to understand current security measures and then take robust policy decisions to strengthen and optimize policies;
• emphasize endpoint security to ensure zero-trust architecture (two-factor authentication, SSL VPN, etc) and Secure Access Service Edge (SASE) model (closeto perimeter) for enhanced security at the edge level;
• regularly train employees to make them more aware and vigilant: An organization needs to ensure that its employees do not fall prey to phishing and other social engineering attacks.

How do you view the criticality of vulnerability reporting and data breach disclosures in wake of the recent incidents?

We believe that organizations should proactively discuss breach allegations, and share details of the investigation carried out to either confirm or deny the breach. This brings clarity to consumers and increases their trust factor. Organizations should also implement self-discipline to ensure their cybersecurity standards are applied at all operational levels.

What are the biggest challenges faced by CISOs of fintech companies today? How much can they rely on measures like SHA-256 encryption and multi-factor authentication?

The primary challenge faced by the CISO is backward compatibility, where certain applications support older, vulnerable, non-secure protocols. Removing them from the environment is tough as the business runs on certain important applications.

Thus the CISO has to maintain a balance between business and information-security posture in the company. Usage of strong hashing algorithms and multifactor authentication allows the organization to prevent unauthorized access and remove data in clear text.

The security of the data handled by payment organizations is crucial and requires the highest level of encryption and security standards to ensure end-to-end security of data. SHA-256, SHA-384, and ECDHE-128 are a few encryption standards used across the payment organization. As the encryption standards are evolving day by day, we must evaluate how weak or strong is a cipher used for data encryption and move to more secure standards. A working challenge with using very strong ciphers is its impact on the processing units, hence a judicious call has to be taken to achieve the right balance.

Multi-factor authentication provides a more secure and robust solution to validate and authorize the user and their access. It allows us to identify people, not only based on what they know (password) but also ensure who they are (biometric scans), and what they possess (tokens). Through this cross-validation, we can ensure that people confirm their identity through multiple channels. Enabling a second-factor authentication with push notification ensures that users get notified if someone is trying to use their access IDs. With more sophisticated biometric sensors coming in place, multifactor authentication will further evolve to incorporate facial recognition and iris scan into payment applications. Multifactor authentication ensures that trust established in the cyber world is as close to the physical presence of an individual as possible.

Tell us more about the role NPCI plays in helping secure the digital payments space? What are some of the standards and practices you drive at your own organization?

NPCI has always ensured that we comply with the highest level of security standards at all our operational segments. The policy is to incorporate security by design to ensure seamless integration of products with security tools and methodology.

As a PCI and ISO:27001:2012 certified organization, we ensure that robust and in-depth security standards are applied – from infrastructure security compliance to data security standards. At NPCI, we:

• ensure hardening standards are applied on all the component network, application, servers, and database to mitigate inherent vulnerabilities of these systems;
• perform appropriate application security and code review to identify and fix any gaps in the application code that can be exploited;
• conduct regular VAPT exercises to address any new vulnerabilities added to the environment;
• perform breach assessment for both external and internal applications to identify any attack vectors that can be exploited;
• integrate tools and appropriate monitoring mechanisms to identify issues.

NPCI regularly asks their member participants to carry out necessary audits to identify open vulnerabilities and gaps which could result in probable data compromise. It is only through regular audits and review of compliances through internal assessments that issues get identified.

Organizations should openly reach out to regulatory bodies and share the issues that have been identified and share the action plan on what is being done to fix them. This is what is expected from responsible organization as a part of good corporate governance which will also showcase their commitment towards customer privacy and data security.