The novel Bharat Post Payments Bank volition convey banking to the doorstep yesteryear using India's mammoth network of post service offices. Postmen volition perform digital transactions on their phones. That's raising concern with safety leaders, who recommend adopting defense-in-depth security.
The novel banking company is designed to serve a largely low-income population with lilliputian banking experience, muchless sense with mobile or online technology. So these customers are peculiarly vulnerable to social engineering.
"They are almost prone to threats, including remote exploits (network-based attacks), phishing, ransomware together with cyber-espionage," says Aditya Khullar, technical leader-cybersecurity at Paytm, a e-commerce payment scheme together with digital wallet company. "Malicious users may travail unauthorized access through hand-held devices, too."
As a result, many safety practitioners recommend the banking company implement new, potent authentication methods together with railroad train a safety team.
Banking Service for the 'Unbanked'
Bharat Post Payments Bank is incorporated equally a world sector companionship nether the Department of Posts with 100 percentage authorities equity; it's governed yesteryear the Reserve Bank of India.
IPPB, nether the ministry building of communications, enables iii lakh postmen together with Grameen Dak Sewaks, or postmasters, to digitally deliver fiscal services.
At the launch inward Delhi this week, Prime Minister Narendra Modi said: "The growing footstep of engineering inward communication threw a challenge, together with nosotros used engineering equally a base of operations to plough that challenge into an chance to convert postmen into bankers delivering fiscal services to the rural sector."
IPPB volition last available through 650 branches together with 3,250 access points immediately, scaling to all 1.55 lakh post service offices yesteryear Dec 2018.
IPPB accepts deposits upwards to Rs 1 lakh together with offers remittance services, mobile payments/transfers/purchases, debit cards, meshwork banking together with third-party fund transfers.
Communications Minister Manoj Sinha says deposits inward a higher house Rs. 1 lakh volition last automatically converted into post service exercise savings accounts. "The banking company is permitted to link unopen to Rs. 17-crore postal savings banking company accounts with its ain setup, including 1.4 lakh banking company branches, nearly 50,000 of them inward villages, which aspect upwards a challenge reaching the 'unbanked'," Sinha says.
Security inward Question
Suresh Sethi, managing manager together with CEO of Bharat Post Payment Bank, says inward an interview with Livemint: "There is a lot of focus inward ensuring all RBI guidelines regarding establishing the banking company are met, including creating the correct customer-facing processes together with compliance with end-of-day balances."
He adds: "We are giving postmen smartphones, on which a mobile agent app volition last installed, together with a biometric authentication device, all connected on a real-time footing with our kernel banking system. It volition run across stringent RBI guidelines to ensure each transaction is online. We've invested inward really high-end engineering capability for ensuring our applications are simple, intuitive together with leveraging RBI's payment together with settlement system, which makes them affordable together with helps convey interoperable services to the terminal mile."
Singapore-based Tom Wills, manager of Ontrack Advisory Pte. Ltd., a safety consulting firm, says the novel banking company volition aspect upwards the same threats all banks face. "However, its novel remote service delivery model using mobile devices carried yesteryear postmen needs special attention; it's practically guaranteed that fraud volition last attempted from twenty-four hr catamenia one," he says.
"Biometric authentication volition render protection against hacking together with many types of identity fraud, though non against social engineering scientific discipline (fraudsters persuading a legitimate user to ship them money). No scheme inward the Blue Planet is able to halt that because it's a human, non technical, attack."
Dharshan Shanthamurthy, founder & CEO at SISA Infosecurity Pvt. Ltd., a payment specialist firm, says: "Regarding postal payments services, if biometric authentication is placed equally an additional factor, non equally a original factor, it tin contain fraud risks, equally payment infrastructure is a really lucrative target for fraudsters."
The biggest challenge, says Mudit Rastogi, senior vice president-India together with APAC at Aujas Networks, a managed service provider, is delegating responsibleness for delivering services to those who are non engineering savvy. The handheld devices that are critical endpoints for banking are prone to fraud, he adds.
K.K. Mookhey, CEO at Network Intelligence, a cybersecurity consulting firm, expects IPPB volition aspect upwards risks dissimilar from other banks, peculiarly if the networks of the post service exercise together with for banking transactions are non segregated.
Building inward Security
IPPB volition non require the exercise of debit cards. Instead, it volition rely on issuing novel QR (Quick-Response) cards that exercise biometric authentication, non passwords or PINs.
IPPB has already launched its app, which tin last used for mobile banking together with opening an Aadhaar-based concern human relationship without visiting a post service office, according to Live Mint.
Mookhey argues that IPPB needs to appoint a CISO to drive governance together with implement a proper organizational construction for policy together with procedure adoption. "It's a greenish plain project, thence it's easier to construct safety yesteryear pattern together with ideally pattern the safety architecture to address network, operating system, database together with application security," he says.
Khullar believes IPPB should focus on ensuring defense-in-depth equally it builds the infrastructure. "Known equally layered safety or layered defense, it describes the exercise of combining multiple mitigating safety controls to protect resources together with data," he says.
Rastogi supports Khullar's declaration for a layered safety model with multifactor authentication which would assist inward establishing a secure transaction through handhelds.
"IPPB should take away maintain an in-house cybersecurity squad ... to enable thwarting attacks/exploits proactively," Khullar recommends.
Ideally, IPPB should exercise multimodal biometrics, Khullar says, using to a greater extent than than 1 characteristic feature, such equally fingerprint together with facial recognition, or capturing multiple sets of the same trait through dissimilar sensors, enabling stronger, foolproof authentication. "Combining private measurements - called biometric-fusion - increases robustness," he says.
Ontrack's Wills says IPPB should construct a safety ecosystem, segregating the banking company network into back-end together with front-end. "The back-end, operated inside the bank's enterprise information technology environment, volition last secured only similar whatever other banking company back-end," he says. "The front-end is what's new, with mobile devices existence carried yesteryear Grameen Dak Sewaks together with postmen.
"Special attending must last paid to securing transactions together with sensitive personal information across the global scheme for mobile communication together with mobile network, together with inward the devices themselves. Transaction safety hither is addressed yesteryear biometric + QR code reading process, and, I would assume, encryption of transaction information equally it travels across the network. Security of the device itself is non discussed, but it must consist of access controls (usually a PIN) plus addressing the special requirements of mobile application security, such equally preventing simulated apps from existence created together with downloaded together with preventing whatever malware on the device from accessing the mobile app."
0 Komentar untuk "Analysis: India Postal Service Payment Bank: Postmen Every 2D Bankers"