Security Audit Found 40 Vulnerabilities in NPCI including Several 'Critical' and 'High' Risk: Report
A 2019 government audit of India’s flagship payments processor, National Payments Corporation of India (NPCI), found more than 40 security vulnerabilities including several it called 'critical' and 'high' risk, says a report from Reuters
, citing internal government documents.
"The March 2019 government document cited the storing of 16-digit card numbers and other personal information such as customer names, account numbers and national identity numbers in “plain text” in some databases, leaving the data unprotected if the system was breached. The audit has not previously been reported," says Reuters.
The NPCI responded with a statement to Reuters that it is regularly audited in the interests of security and senior management reviews all findings, which are then “remediated to (the) satisfaction of the auditors”. This includes the findings cited by Reuters, it said.
However, according to Dr Rakesh M Goyal, managing director (MD) of Sysman Computers P Ltd, digital payments require robust security to maintain trust in digital payment system. He says, "Today due to 'n' number of cybercrimes, that trust is missing. It is not known whether NPCI is doing anything to create robust security or not; if it does, it is not to be seen. Many types of cyber frauds are still taking place. NPCI may say that they are not responsible as per their terms and conditions (T&C) but that does not create and environment of trust."
Dr Goyal describes himself as perpetual student of cyber security since 1991; his company, Sysman Computers is one of the few IT security audit organisations empanelled with CERT-In and CCA to audit cyber security of critical national infrastructure and assets.
According to him, most security audits in organisations like NPCI are done based on the lowest bidder (L1) tendering system, where the work is assigned to auditors who quote low rates just to bag the assignment. This comes at the cost of quality. "Audits are done to satisfy the minimum compliance requirement and not to identify the risk exposure. There are no quality benchmarks set up by organisations like NPCI for security audits. NPCIL says that the vulnerabilities were 'remediated to (the) satisfaction of the auditors'. In a critical operation like NPCI, the security must be revalidated by a string of two-three independent auditors with strong baseline and must not be based on other considerations," Dr Goyal added.
NPCI is a Section 25 company created under the Companies Act, for operating retail payments and settlement systems in India.
Quoting from the March 2019 government document, the Reuters report has further said that a variety of card numbers were unencrypted within the NPCI database for the country’s network of almost 250,000 ATMs, while unencrypted RuPay card numbers could also be seen in the organisation’s server logs.
"It (the audit) recommended that sensitive data, customer data and personal identity information be “properly encrypted or masked in the database and logs,” it added.
NPCI told Reuters that it stores card data in line with standards set by the PCI Security Standards Council, and has been subject to audits authorised by the council. “No non-conformities have been observed and we are fully compliant to these standards,” the statement from NPCI states.
Other high-risk issues in RuPay and other NPCI applications, cited by the government audit, included so-called 'buffer overflow' vulnerability, a memory safety issue that can allow hackers to take advantage of coding mistakes.
Operating systems used by the NPCI were not 'up to date' and one of its mail servers had inadequate anti-malware functionality, it also said.
The audit was conducted by a team of 10 to 12 people at NPCI’s Mumbai headquarters and offices in two other cities, a person familiar with the matter said, declining to be identified says Reuters.
NPCI, on its website
, however, says it has designed the enterprise risk framework drawing guidance from regulatory guidelines of Reserve Bank of India (RBI), ISO 31000:2009 standard; COSO framework and guidelines from Bank for International Settlements (BIS). "Additionally, basis regulatory requirement NPCI is aligned with principles for financial market infrastructures (PFMI) guidelines. This ensures that NPCI has effective systems and controls in place to identify; measure; monitor; manage and report risks arising in and across NPCI's operations," it says.
In addition, NPCI says it has incorporated data security policy, which is in line to most of the global accepted standards around data privacy and security. It says, "The policy has been put to effect since September 2018 and majority of our applications are assessed and mitigated to adhere to data security policy of NPCI. There are appropriate remedial actions that are being worked to ensure customer data remains safe and secure at NPCI."
According to Dr Goyal, NPCI needs to revisit its system and data flow; incorporate security and privacy at the design and architecture level of their systems; redefine testing and security validation; redefine APIs with participating organisation and banks; among many other things.
"Further, there is no deterrent data privacy law except sec 43A of IT Act. The Personal Data Protection Act (PDPA) is still pending with the Parliament. There is no accountability at NPCI. No head rolls in NPCI. No action taken on auditor, who was satisfied to the remedial action," the cyber security expert added.