The Wire: New Delhi: Friday,
31 July 2020.
A
government audit of India’s flagship payments processor last year found more
than 40 security vulnerabilities including several it called “critical” and
“high” risk, according to an internal government document seen by Reuters.
The
audit, which took place over four months to February 2019, highlighted a lack
of encryption of personal data at the National Payments Corporation of India
(NPCI) which forms the backbone of the country’s digital payments system and
operates the RuPay card network championed by Prime Minister Narendra Modi.
The
March 2019 government document cited the storing of 16-digit card numbers and
other personal information such as customer names, account numbers and national
identity numbers in “plain text” in some databases, leaving the data unprotected
if the system was breached. The audit has not previously been reported.
The NPCI
said in a statement to Reuters it is regularly audited in the interests of
security and senior management reviews all findings, which are then “remediated
to (the) satisfaction of the auditors”. This includes the findings cited by
Reuters, it said.
India’s
National Cyber Security Coordinator, Rajesh Pant, whose office coordinated the
audit, also said in a statement to Reuters that “all observations raised in
last year’s report have been confirmed as resolved by the NPCI”.
Pant
added audits are best practice for the mitigation of cyberattacks and are
conducted on a periodic basis by all enterprises.
The
audit was undertaken to provide Modi’s National Security Council with an
overview of the NPCI’s defences against cyberattacks. Modi’s office and the
finance ministry did not respond to a Reuters request for comment.
The
audit’s findings underscore the data-security challenges faced by the NPCI
which processes billions of dollars daily via services that include inter-bank
fund transfers, ATM transactions and digital payments.
In India
and beyond, financial institutions are under immense pressure to mount
effective defences to protect their customers as the number of malicious
cyberattacks grow and hackers become more sophisticated.
Set up
in 2008, the NPCI is a not-for-profit company which as of March 2019 counted 56
banks as its shareholders, including the State Bank of India, Citibank and
HSBC.
RuPay,
in particular, has been enthusiastically endorsed by Modi who has likened its
use to a national duty. It has grown to account for almost two-thirds of nearly
900 million debit and credit cards issued in India as of October, according to
NPCI and central bank data.
Governance
concerns
The
audit followed a Reserve Bank of India (RBI) inspection report on the NPCI in
July 2017 that found lapses in its internal auditing practices, operational
risks and improper whistleblower policies.
There
was “lack of awareness of risks and risk culture in the institution,” according
to a mostly redacted version of the 37-page report that was obtained by Reuters
via the Right to Information Act (RTI) last year.
The 2019
government document about the audit also noted: “There is a strong need for
proper governance.”
The RBI
conducted another inspection between November and December 2019. A 33-page
report on that audit included its assessment of NPCI’s governance and
operational and credit risks. But most of the report, also obtained by Reuters
via the RTI Act, was redacted by the central bank which cited the need to
protect India’s and the NPCI’s economic interests.
The NPCI
in its statement did not comment specifically on the RBI reports, but said all
observations cited by Reuters were remediated. The RBI did not comment on the
reports.
Issues
cited
The
March 2019 government document said a variety of card numbers were unencrypted
within the NPCI database for the country’s network of almost 250,000 ATMs,
while unencrypted RuPay card numbers could also be seen in the organisation’s
server logs.
It recommended
that sensitive data, customer data and personal identity information be
“properly encrypted/masked in the database and logs”.
NPCI
said in its statement to Reuters that it stores card data in line with
standards set by the PCI Security Standards Council, and has been subject to
audits authorised by the council. “No non-conformities have been observed and
we are fully compliant to these standards,” the statement said.
Other
high risk issues in RuPay and other NPCI applications cited by the government
audit included so-called “buffer overflow” vulnerability, a memory safety issue
that can allow hackers to take advantage of coding mistakes.
Operating
systems used by the NPCI were not “up to date” and one of its mail servers had
inadequate anti-malware functionality, it also said.
The
audit was conducted by a team of 10 to 12 people at NPCI’s Mumbai headquarters
and offices in two other cities, a person familiar with the matter said,
declining to be identified.
.JPG)
.JPG)
