There’s been a surge in transactions through the mobile payment channel, thanks to the rapid development of information technology, spread of mobile phones, and demonetisation.
But are mobile payments secure? A study by the Centre for Software and IT Management (CSITM) at IIM Bangalore (IIM-B) raises significant questions on the risks associated with mobile phone-based payment systems.
The experiments“We conducted experiments with five popular mobile payment systems, in four broad categories — wallets (Paytm, FreeCharge), direct link with user’s bank (BHIM), specific bank’s app for account-holders (iMobile by ICICI Bank), and basic USSD service (dialling *99#),” said Rahul De, Chairperson, CSITM, and faculty at IIM Bangalore. De explained that the study evaluated the apps on the following six key security principles for electronic banking transactions: the potential for confidentiality breaches; the management of the transactions for subsequent repudiation; the strength of the authentication process; the data and transaction integrity procedures; the extent of access and availability of services; and the procedures for maintaining privacy of customer information.
The study found serious privacy concerns with all the services, said Prof De. For instance, while in many apps like Freecharge, the wallets are not directly linked to third-party vendors (such as Uber or BigBasket), apps such as Paytm allow for automatic linkage with the vendors and they can deduct amounts without the explicit consent of the user.
Potential for confidentiality breaches was a problem observed in all the mobile payment methods, except USSD. A recurring security concern was that many of the apps do not automatically log the users out, and anyone having access to the phone can make financial transactions through these apps.
This risk is highest if the user loses or misplaces her/his mobile phone, and higher still if the phone is unlocked or unprotected. However, apps such as iMobile, BHIM have auto-logout/session time-out features.
‘Constantly evolving’“We also observed inadequate management of the transactions and no evidence of systematic analysis of transaction patterns. The lack of these features are a potential security violation. However, even while we were conducting the study, we observed that the features of the apps and services were constantly evolving and changing.
“Hence, we add the caveat that the evaluation of the apps in this report is as observed during our study conducted between December 16 to January 17, and it is likely that some of the concerns presented in this report have been addressed, and perhaps new concerns have emerged,” Prof De emphasised.