Demonetisation: Will CERT-In Advisory Help Mitigate Risks?Security Experts Weigh in on Security Advisory's Effectiveness
In the aftermath of Prime Minister Narendra Modi ordering on Nov. 8 that 500 and 1,000 rupee notes be taken out of circulation to help fight tax fraud and counterfeiting, there's already been a dramatic increase in "cashless" transactions, including the use of micro ATMs, point-of-sale counters and online banking.
As a result, CERT-In, India's Computer Emergency Response Team at the Ministry of Electronics and Communication, or MeitY, has issued an advisory on mitigating the new risks involved. It cautions consumers, enterprises and service providers to be on the lookout for increased malware attacks and urges adoption of high-end encryption to prevent breaches.
But some security critics wonder if organisations take such advisories seriously. And they call for a much stronger push toward compliance with the guidelines offered.
"Usually, enterprises/users don't adhere to advisories; they lack the resources to take up the responsibility of complying with guidance," says Chennai-based Sivakumar Krishnan, head-IT at M Power Micro Finance Pvt. Ltd., a non-banking finance company registered with RBI. "Besides, they always think, 'my organisation is safe and secure'."
Expanded Use of Encryption
CERT-In is warning about threats to micro ATMs, and it expects a rise in data vulnerabilities after recent debit card breaches through ATMs. Micro ATMs are point-of-sale devices that work with minimal power and connect to central banking servers through GPRS, or General Packet Radio Service.
Three areas need attention, CERT-In says: data in transit, data at rest and data in memory. Data in memory is nearly impossible to defend if attackers have access to the POS system, it notes.
"Traditionally, data input into the POS system is in memory in clear text, helping attackers - memory scrapers - to succeed," CERT-In says.
To minimize the risk, organisations should encrypt card data as soon as possible and keep it encrypted to the maximum extent throughout its life within the system, CERT-In advises.
Skimming and social engineering attacks are on the rise, CERT-In also notes.
"A thief can obtain users' credit card numbers using a small electronic device near the card acceptance slot and store hundreds of credit card numbers," it warns. CERT-In advises consumers to change their ATM PINs regularly.
Securing Online Banking
Following Modi's demonetisation initiative, which was designed, in part, to encourage cashless transactions, CERT-In called attention to risks associated with online banking.
The major attacks CERT-In describes are:
- A credential-stealing attack using malicious software or phishing;
- A channel-breaking attack, involving intercepting communication between the client side and the banking server;
- Content manipulation, also known as a man-in-the browser attack, at the application layer between the user and browser. The adversary gains privileges to read, write, change and delete browser data while users are unaware.
Some security experts are calling for CERT-In to go beyond issuing guidance and provide a stronger push toward compliance with the guidelines offered.
Many organisations overlook threat intelligence because they don't think it's relevant, security experts say. Plus, many believe that adhering to best practices is too expensive.
"It's time to comprehend the underlying threat and carry out a detailed risk assessment of card-present transaction-related IT infrastructures," says Mumbai-based Balaji Venketeshwar, a cybersecurity researcher and consultant. "Cyber threat intelligence is critical to prevent repeat cyberattacks using the same methodology."
Venketshwar questions the value of CERT-In's latest advisory, "because unfortunately, CERT-In's advisory just throws up some data and does not provide guidance or actionable threat intelligence, which could be followed by the practitioners."
Santosh Khadsare, an information security professional and cyber forensics investigator, says many organisations lack technical expertise to deploy security tools and rely on legacy systems that need major upgrades to improve data security.
Because so many enterprises lack the resources to address security, advisories from CERT-In and others have very little impact, argues Sriram Natarajan, chief risk officer at Quattro, a business process outsourcing organisation.
"Demonetisation has put the glare on customer convenience; often enough, customer protection is getting short-shift," Natarajan says. "Enterprises lack continuous diligent monitoring of alerts, reviewing trends and patterns."
Security Best Practices
The CERT-In advisory offers a number of security best practices for banks and ATM operators to thwart attacks.
"Micro ATMs must not transmit confidential data unencrypted," it states. Organisations also should make sure devices "automatically log out the operator and lock itself after a period of inactivity." Plus, they should "keep all the micro ATM software, application, anti-virus regularly updated and educate customers about basic functionalities and security best practises."
But Krishnan calls on CERT-In to provide additional guidance.
"Practitioners are informed of how Darknet-affiliated cyber-fraudsters are innovating ways of exploiting systems and processes for committing fraud," Krishnan argues. "CERT-In must provide guidance on how organisations should respond to and report cyber incidents."
Krishnan recommends that organisations should use devices enabling cashless transactions from a reputed company and approved by an authorised government agency.
"The device should send transactions in an encrypted format, not plain text; the personnel responsible for carrying out cashless transactions for customers must be well-trained, aware of all fraudster methods," Krishnan says.
Khadsare calls on CERT-In to issue mandates to organisations to report breaches to the appropriate authority, which would help law enforcement to take necessary action in thwarting attacks.
And Venketeshwar says CERT-In "needs immediate focus on building advance cyber threat intelligence capabilities and improving actionable intelligence sharing capabilities using globally accepted protocol and language for effective machine-to-machine communication and enhanced intrusion prevention capability."