Analysis: India Post Payment Bank: Postmen Equally Bankers
The novel Republic of Republic of India Post Payments Bank volition bring banking to the doorstep past times using India's mammoth network of post service offices. Postmen volition perform digital transactions on their phones. That's raising concern amid safety leaders, who recommend adopting defense-in-depth security.
The novel banking concern is designed to serve a largely low-income population alongside footling banking experience, muchless sense alongside mobile or online technology. So these customers are especially vulnerable to social engineering.
"They are nigh prone to threats, including remote exploits (network-based attacks), phishing, ransomware together with cyber-espionage," says Aditya Khullar, technical leader-cybersecurity at Paytm, a e-commerce payment scheme together with digital wallet company. "Malicious users may endeavour unauthorized access through hand-held devices, too."
As a result, many safety practitioners recommend the banking concern implement new, rigid authentication methods together with educate a safety team.
Banking Service for the 'Unbanked'
Republic of Republic of India Post Payments Bank is incorporated equally a world sector companionship nether the Department of Posts alongside 100 per centum regime equity; it's governed past times the Reserve Bank of India.
IPPB, nether the ministry building of communications, enables iii lakh postmen together with Grameen Dak Sewaks, or postmasters, to digitally deliver fiscal services.
At the launch inward Delhi this week, Prime Minister Narendra Modi said: "The growing stair of engineering inward communication threw a challenge, together with nosotros used engineering equally a base of operations to plow that challenge into an chance to convert postmen into bankers delivering fiscal services to the rural sector."
IPPB volition hold upwards available through 650 branches together with 3,250 access points immediately, scaling to all 1.55 lakh post service offices past times Dec 2018.
IPPB accepts deposits upwards to Rs 1 lakh together with offers remittance services, mobile payments/transfers/purchases, debit cards, mesh banking together with third-party fund transfers.
Communications Minister Manoj Sinha says deposits higher upwards Rs. 1 lakh volition hold upwards automatically converted into post service piece of work savings accounts. "The banking concern is permitted to link around Rs. 17-crore postal savings banking concern accounts alongside its ain setup, including 1.4 lakh banking concern branches, nearly 50,000 of them inward villages, which facial expression upwards a challenge reaching the 'unbanked'," Sinha says.
Security inward Question
Suresh Sethi, managing managing director together with CEO of Republic of Republic of India Post Payment Bank, says inward an interview alongside Livemint: "There is a lot of focus inward ensuring all RBI guidelines regarding establishing the banking concern are met, including creating the correct customer-facing processes together with compliance alongside end-of-day balances."
He adds: "We are giving postmen smartphones, on which a mobile agent app volition hold upwards installed, together with a biometric authentication device, all connected on a real-time footing alongside our heart together with soul banking system. It volition reckon stringent RBI guidelines to ensure each transaction is online. We've invested inward real high-end engineering capability for ensuring our applications are simple, intuitive together with leveraging RBI's payment together with settlement system, which makes them affordable together with helps bring interoperable services to the terminal mile."
Singapore-based Tom Wills, managing director of Ontrack Advisory Pte. Ltd., a safety consulting firm, says the novel banking concern volition facial expression upwards the same threats all banks face. "However, its novel remote service delivery model using mobile devices carried past times postmen needs special attention; it's practically guaranteed that fraud volition hold upwards attempted from twenty-four lx minutes menstruum one," he says.
"Biometric authentication volition render protection against hacking together with many types of identity fraud, though non against social engineering (fraudsters persuading a legitimate user to shipping them money). No scheme inward the reason is able to halt that because it's a human, non technical, attack."
Dharshan Shanthamurthy, founder & CEO at SISA Infosecurity Pvt. Ltd., a payment specialist firm, says: "Regarding postal payments services, if biometric authentication is placed equally an additional factor, non equally a principal factor, it tin forcefulness out contain fraud risks, equally payment infrastructure is a real lucrative target for fraudsters."
The biggest challenge, says Mudit Rastogi, senior vice president-India together with APAC at Aujas Networks, a managed service provider, is delegating responsibleness for delivering services to those who are non engineering savvy. The handheld devices that are critical endpoints for banking are prone to fraud, he adds.
K.K. Mookhey, CEO at Network Intelligence, a cybersecurity consulting firm, expects IPPB volition facial expression upwards risks dissimilar from other banks, especially if the networks of the post service piece of work together with for banking transactions are non segregated.
Building inward Security
IPPB volition non require the job of debit cards. Instead, it volition rely on issuing novel QR (Quick-Response) cards that job biometric authentication, non passwords or PINs.
IPPB has already launched its app, which tin forcefulness out hold upwards used for mobile banking together with opening an Aadhaar-based concern human relationship without visiting a post service office, according to Live Mint.
Mookhey argues that IPPB needs to appoint a CISO to drive governance together with implement a proper organizational construction for policy together with procedure adoption. "It's a light-green champaign project, thus it's easier to construct safety past times pattern together with ideally pattern the safety architecture to address network, operating system, database together with application security," he says.
Khullar believes IPPB should focus on ensuring defense-in-depth equally it builds the infrastructure. "Known equally layered safety or layered defense, it describes the practise of combining multiple mitigating safety controls to protect resources together with data," he says.
Rastogi supports Khullar's declaration for a layered safety model alongside multifactor authentication which would aid inward establishing a secure transaction through handhelds.
"IPPB should receive got an in-house cybersecurity squad ... to enable thwarting attacks/exploits proactively," Khullar recommends.
Ideally, IPPB should job multimodal biometrics, Khullar says, using to a greater extent than than i characteristic feature, such equally fingerprint together with facial recognition, or capturing multiple sets of the same trait through dissimilar sensors, enabling stronger, foolproof authentication. "Combining private measurements - called biometric-fusion - increases robustness," he says.
Ontrack's Wills says IPPB should construct a safety ecosystem, segregating the banking concern network into back-end together with front-end. "The back-end, operated inside the bank's enterprise information technology environment, volition hold upwards secured simply similar whatsoever other banking concern back-end," he says. "The front-end is what's new, alongside mobile devices beingness carried past times Grameen Dak Sewaks together with postmen.
"Special attending must hold upwards paid to securing transactions together with sensitive personal information across the global scheme for mobile communication together with mobile network, together with inward the devices themselves. Transaction safety hither is addressed past times biometric + QR code reading process, and, I would assume, encryption of transaction information equally it travels across the network. Security of the device itself is non discussed, but it must consist of access controls (usually a PIN) plus addressing the special requirements of mobile application security, such equally preventing mistaken apps from beingness created together with downloaded together with preventing whatsoever malware on the device from accessing the mobile app."
