FinTechFinancial Frauds through Digital Wallets and Digital Payment Security Controls

INTRODUCTION

Digital wallet or an e-wallet like a PayPal or Google Pay is an electronic software that stores the user’s bank card in one place, allowing them the transfer of money or any other transaction without using physical card or cash. Consumers add their credit cards, debit cards, bank information, cryptocurrency and other payment types to the digital wallet.

In digital wallets, users are only required to download the specific application on their mobile phones curated by their banks or trusted third parties to avail the service. They come with a multi factor identification system like a facial recognition and a finger print authentication. It is because of these security features the utilization of digital wallets is rapidly increasing day by day.

FinTech companies benefit immensely from the use of digital wallets by their customers. Companies which collect consumer’s data for the purpose of marketing  get to know the purchasing habits of consumers and thereby increase the marketing methods of their product.

HOW DO DIGITAL WALLETS WORK

In order to use digital wallet, users enter their debit card information into the digital wallet application. All this information is encrypted which makes it essentially impossible for anyone to steal the data. To make a payment, the user holds the smartphone close to the contactless payment terminal.

Mobile wallets use “tokenisation” wherein the card number is replaced by a randomly generated number called “token.” In case of credit card, a fraudster can retrieve the victim’s card details through a merchant’s billing machine, but this is impossible in case of payment through digital wallets because only a random encrypted is number is visible.

Digital wallets employ all these technologies for a better seamless transaction experience for consumer –

• Quick Response (hereinafter referred to as “QR”) Codes – These are barcodes which encodes information into black and white pattern that a user can access with a mobile camera or a digital wallet’s scanning system to initiate payment. Payment applications can encode information, including transaction amount as well as intended recipient.
• For example – In the PayPal app, shoppers can create a QR code to utilize their accounts for in-store purchases.
• Near Field Communication (hereinafter referred to as “NFC”) – NFC technology facilitates wireless data transfer by utilizing electromagnetic signals, allowing devices like smartphones, tablets, and laptops to share data when they are close to each other, typically within an inch and a half.
• Magnetic Secure Transmission (hereinafter referred to as “MST”) – MST technology, allows smartphones to make wireless payments compatible with both traditional magnetic stripe systems and newer no-swipe credit card terminals. It emits a magnetic signal akin to swiping a credit card, enabling secure transactions for customers and retailers without necessitating equipment upgrades.

DIFFERENT TYPES OF DIGITAL WALLETS

1. Closed Wallet – A closed wallet is developed by a company selling products/ services for its customers. The customers can use the funds stored in the wallet only for purchasing that particular product/service offered by the company. The money credited through returns, cancellations or refunds is stored in that wallet.

For example: Amazon Pay is utilized for making payments on purchase of items on the shopping application.

2. Semi- Closed Wallet– A semi closed wallet allows users to make transactions at listed merchants and locations. Although the coverage of such wallets is restricted, consumer can make payments both online and offline through the wallet. However, the merchants need to enter into contracts with the issuers for accepting payments from the mobile wallets.

For Example: Paytm Wallet

3. Open Wallets – Open Wallets are issued by banks and institutions which are partnered with banks. Consumers can pay for every type of transactions using this wallet in addition to withdrawal of funds from banks as well as transfer of funds.

For Example: PayPal allows users to make payments for in-store and online purchases and still withdraw the funds in cash.

WHAT IS A DIGITAL WALLET FRAUD

Digital wallet fraud refers to unauthorised activities exploiting a person’s digital wallet for illicit transactions. This includes using stolen credit card information, creating fake digital wallets to trick individuals into revealing payment details. Fraudsters employ various tactics like phishing, malware attacks and social engineering to exploit the vulnerabilities of digital wallet system.

Digital fraud can happen through the following manner-

1. Phishing – This is a prevalent method used by cybercriminals to trick users into revealing their login credentials or sensitive information. Fraudsters often use deceptive emails, messages or websites enticing users into sharing confidential information.

2. Malware– In this method the fraudsters utilize malicious software to infiltrate the device of the user. It is then used to retrieve personal data including valuable digital wallet credentials.

3. Fake Applications – Cybercriminals often develop fake applications masquerading as legitimate digital wallets to dupe consumers. Users often enter their sensitive information including card passwords, granting fraudsters unauthorised access.

4. Account Takeover – Account takeovers happen when the fraudsters gain unauthorised access to accounts, typically to steal funds or personal information. Accounts are breached using the stolen credentials obtained through, phishing scams, social engineering schemes etc.

5. Wifi Snooping – Public Wi-Fi users are often vulnerable to interception of data between wallets and terminals, leading to fraudulent transactions. Once the interception is successful the scammer gets access not only to financial information of the victim but also confidential personal data.

PREVENTION OF DIGITAL WALLET FRAUD 

 In this era of technology, it is really significant to safeguard oneself from the cyber risks revolving around the world of financial technology. Enumerated below is the list of ways on how to prevent a digital wallet fraud:

1. Utilize Robust Authentication – Enhance the security of your digital wallet by activating multi-factor authentication. This adds an additional security layer by necessitating extra verification steps beyond a mere password, such as receiving a one-time pass code on your mobile device.

2. Maintain Up-to-Date Software – Regularly update both your digital wallet application and your device’s operating system. Developers frequently release updates to fix security vulnerabilities, making it essential to stay current to mitigate potential risks.

3. Stay Wary of Phishing Attempts – Exercise caution with unexpected emails, messages, or links soliciting your digital wallet details. Legitimate service providers never request sensitive information via email or messaging platforms. Verify the credibility of communication by directly contacting the company through official channels.

4. Fortify Your Devices – Employ strong, distinct passwords for your digital wallet and update them regularly. Additionally, enhance device security with biometric authentication methods like fingerprint or facial recognition to bolster protection.

5. Monitor Account Activities – Regularly scrutinize your digital wallet transactions and account actions. Promptly report any suspicious or unauthorized transactions to the digital wallet provider and take necessary measures to safeguard your account.

6. Educate Yourself – Stay updated of the latest cybercriminal tactics and trends. Knowledge is instrumental in thwarting digital wallet fraud. Familiarize yourself with common scams and remain vigilant to safeguard your financial resources.

CASE STUDY – META MASK 

MetaMask is a software cryptocurrency wallet, used to interact with the Ethereum blockchain. It allows users to store, manage account keys, broadcast transaction, and send and receive Ethereum based cryptocurrencies through a web browser or a mobile application. Both the web browser and the application are equipped with an Ethereum wallet.

In  July 2022, an active phishing campaign targeting the customers of the MetaMask was discovered. The customers started receiving a mail allegedly from the original company “MetaMask” asking them to verify their wallets in order to comply with the KYC regulations. The mail was disguised in manner that any usual customer would fall into believing that it had been sent from an authentic source. After the user clicked on the said verification link, he was redirected to a fake website where they were asked to reveal their protected passphrase.

Once the customer enters the passphrase, they were redirected to the real MetaMask website which deceives users into thinking that everything was in order. But the truth is contradictory- as soon as the protected passphrase was revealed, all the information about the users’ crypto wallet was now exposed to the scammers, and subsequently they gained access to the victim’s digital wallet and was able to make payments on the user’s behalf.

What was wrong with this attack?

In reality, and when one looks upon closely, the above phishing attack was full of egregious errors. These errors were detected later on, to realise the authenticity of the alleged KYC act of the company. The scammers duped the customers by using a fake domain name “Metamaks” instead of “MetaMasks.” This is known as cyber-squatting wherein the perpetrator registers an identical or similar domain with the intention to profiting from a recognizable trademark.

Even the address used by them, was delivered through a different server which is not at all related to the real service. The email even lacked a personal touch like the real name of the recipient, or some other ID information or more clear instructions on what needs to be done. Lastly even the redirected URL was authorised by “web.org” and MetaMask was only a subdomain under the registered top-level domain.

The customers can be made aware of all these little loopholes so that they are strict and attentive, and are protected against any potential phishing attacks in the future.

The Way Foreword

The best defence against phishing attacks like these is to stay vigilant when receiving emails and think twice before clicking on anything that seems even a tad bit unusual or potentially suspicious. If any email contains a link to be clicked on, one should always visit the site directly instead and find the target page from there. If any attachment is unsolicited or suspicious, first one should call the sender before opening or downloading it.

No one can detect each and every phishing attack, so it is also important for the respective companies to employ an email security system which detects and blocks potential phishing attack as well as a multi factor authentication which mitigates the impact of compromised credentials.

RBI’s MASTER DIRECTION ON DIGITAL PAYMENT SECURITY CONTROLS

The latest RBI guidelines RBI/2020-21/74 DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21 help organizations establish robust digital payment system and implement effective standards of security controls for online payments. It came into effect from August 2021. It provides for a comprehensive governance and minimum-security control standards for systems like Internet banking, mobile banking etc. It also covers Scheduled Commercial Banks, Small Finance Bank, Payment Banks and Credit Card issuing National Banking Financial Corporation (hereinafter referred to as “NBFCs”) within its ambit. These directions will also have implications on third party payment applications like Google Pay, Phone Pe etc. The objective of the RBI Master Directions are as follows –

• It seeks to enhance the security and Governance of payment gateways, digital wallets, and similar transactions.
• To ensure that regulated entities prioritize and enhance the quality of governance, risk management, and internal security controls, thereby fostering a safer digital payment environment.
• To strengthen and refine internal grievance redressal mechanisms while enhancing disclosures regarding customer complaints.
• Ultimately, the goal is to facilitate secure online transactions and prevent occurrences of data breaches, theft, or leakage of sensitive customer data.

In order to achieve the above directions, the directions provide for governance and management of security risk through risk assessment, risk management and governance program, capacity management plan and data recovery system procedure. It also provides for certain security controls like Multi-Tier Application Architecture, Multi-Factor Authentication, Threat Modelling Approach and also mechanism for Consumer Awareness and Grievance Redressal Mechanism. All in all, these directions are a welcome step by the RBI in wake of the increasing digital payment frauds especially after Covid 19. They are comprehensive, addressing each and every loophole to ensure secure and seamless digital payments.

AMLEGALS REMARKS

In conclusion, addressing digital wallet fraud in India calls for a proactive and cooperative approach. The case study provided illustrate various tactics used by cybercriminals, underlining the importance of a comprehensive strategy for prevention. Educating users is vital, fostering a mindset of caution against phishing.

Utilizing technologies like two-factor authentication and biometric verification adds strong layers of security, protecting digital wallet accounts from unauthorized access. Digital wallets are here to stay, and are becoming an integral part of our lives. Thus, its protection should be a priority concern for every country around the world.

-Team AMLEGALS assisted by Ms. Surbhi Talreja (Intern)

For any query or feedback, please feel free to get in touch with mridusha.guha@amlegals.com or liza.vanjani@amlegals.com.