Security Audit Found 40 Vulnerabilities in NPCI including Several 'Critical' and 'High' Risk: Report
A 2019 government audit of India’s flagship payments processor, National Payments Corporation of India (NPCI), found more than 40 security vulnerabilities including several it called 'critical' and 'high' risk, says a report from Reuters, citing internal government documents.
 
"The March 2019 government document cited the storing of 16-digit card numbers and other personal information such as customer names, account numbers and national identity numbers in “plain text” in some databases, leaving the data unprotected if the system was breached. The audit has not previously been reported," says Reuters. 
 
The NPCI responded with a statement to Reuters that it is regularly audited in the interests of security and senior management reviews all findings, which are then “remediated to (the) satisfaction of the auditors”. This includes the findings cited by Reuters, it said. 
 
However, according to Dr Rakesh M Goyal, managing director (MD) of Sysman Computers P Ltd, digital payments require robust security to maintain trust in digital payment system. He says, "Today due to 'n' number of cybercrimes, that trust is missing. It is not known whether NPCI is doing anything to create robust security or not; if it does, it is not to be seen. Many types of cyber frauds are still taking place. NPCI may say that they are not responsible as per their terms and conditions (T&C) but that does not create and environment of trust."
 
Dr Goyal describes himself as perpetual student of cyber security since 1991; his company, Sysman Computers is one of the few IT security audit organisations empanelled with CERT-In and CCA to audit cyber security of critical national infrastructure and assets. 
 
According to him, most security audits in organisations like NPCI are done based on the lowest bidder (L1) tendering system, where the work is assigned to auditors who quote low rates just to bag the assignment. This comes at the cost of quality. "Audits are done to satisfy the minimum compliance requirement and not to identify the risk exposure. There are no quality benchmarks set up by organisations like NPCI for security audits. NPCIL says that the vulnerabilities were 'remediated to (the) satisfaction of the auditors'. In a critical operation like NPCI, the security must be revalidated by a string of two-three independent auditors with strong baseline and must not be based on other considerations," Dr Goyal added.
 
NPCI is a Section 25 company created under the Companies Act, for operating retail payments and settlement systems in India. 
 
Quoting from the March 2019 government document, the Reuters report has further said that a variety of card numbers were unencrypted within the NPCI database for the country’s network of almost 250,000 ATMs, while unencrypted RuPay card numbers could also be seen in the organisation’s server logs.
 
"It (the audit) recommended that sensitive data, customer data and personal identity information be “properly encrypted or masked in the database and logs,” it added.
 
NPCI told Reuters that it stores card data in line with standards set by the PCI Security Standards Council, and has been subject to audits authorised by the council. “No non-conformities have been observed and we are fully compliant to these standards,” the statement from NPCI states.
 
Other high-risk issues in RuPay and other NPCI applications, cited by the government audit, included so-called 'buffer overflow' vulnerability, a memory safety issue that can allow hackers to take advantage of coding mistakes.
 
Operating systems used by the NPCI were not 'up to date' and one of its mail servers had inadequate anti-malware functionality, it also said.
 
The audit was conducted by a team of 10 to 12 people at NPCI’s Mumbai headquarters and offices in two other cities, a person familiar with the matter said, declining to be identified says Reuters.
 
NPCI, on its website, however, says it has designed the enterprise risk framework drawing guidance from regulatory guidelines of Reserve Bank of India (RBI), ISO 31000:2009 standard; COSO framework and guidelines from Bank for International Settlements (BIS). "Additionally, basis regulatory requirement NPCI is aligned with principles for financial market infrastructures (PFMI) guidelines. This ensures that NPCI has effective systems and controls in place to identify; measure; monitor; manage and report risks arising in and across NPCI's operations," it says.
 
In addition, NPCI says it has incorporated data security policy, which is in line to most of the global accepted standards around data privacy and security. It says, "The policy has been put to effect since September 2018 and majority of our applications are assessed and mitigated to adhere to data security policy of NPCI. There are appropriate remedial actions that are being worked to ensure customer data remains safe and secure at NPCI."
 
According to Dr Goyal, NPCI needs to revisit its system and data flow; incorporate security and privacy at the design and architecture level of their systems; redefine testing and security validation; redefine APIs with participating organisation and banks; among many other things.  
 
"Further, there is no deterrent data privacy law except sec 43A of IT Act. The Personal Data Protection Act (PDPA) is still pending with the Parliament. There is no accountability at NPCI. No head rolls in NPCI. No action taken on auditor, who was satisfied to the remedial action," the cyber security expert added.
 
 
  • Like this story? Get our top stories by email.

    User 

    COMMENTS

    vivek_shah64

    5 days ago

    We've already seen the sorry state of affairs with Adhaar and Adhaar pay if ever there is a cyberattack at NPCI god save us !!!

    prasanna

    5 days ago

    Instead of bucking up their systems, NPCI wants to restrict companies who are doing UPI transactions for stopping acquiring new customers. This is nothing but stupidity.

    prasanna

    5 days ago

    Terrible state of affairs. Regulators and Government are asleep at the wheel.

    Ramesh Popat

    5 days ago

    OMG!

    Customs busts smuggling racket in Agarbattis through ASEAN FTA misuse
    In a major drive against the smuggling of Agarrbattis from Vietnam, Customs officers on Wednesday arrested Bharat H. Shah and his son, Ronik Shah at Chennai after seizing 161.94 MT of Agarbattis and 68.36 MT of Agarbatti Powder which were found concealed in containers imported by M/s. Indian Agarbatti Manufacturers, Bangalore.
     
    This is one of the biggest seizures of restricted items in recent times at the port.
     
    The importer had declared to the Customs that these containers contained Joss powder and Premix powder for making incense sticks. Joss powder is normally chargeable to 15 per cent Customs duty but the duty is 'Nil' under the Free Trade Agreement (FTA) with ASEAN which includes Vietnam.
     
    The importer was thus trying to take advantage of the FTA as well as use the items covered thereunder to conceal and smuggle restricted Agarbattis. The product is placed in the restricted category since August last year and cannot be imported without a licence.
     
    Acting on credible input that some unscrupulous importers were clandestinely smuggling Agarbattis from Vietnam after the item was restricted for import, the Customs used data analytics to identify the suspect importer, M/s. Indian Agarbatti Manufacturers.
     
    Thereafter, a tight watch was kept on its six imported containers that had landed at Chennai port. The containers said to contain Joss powder and Premix powder for making incense sticks revealed huge quantities of undeclared Agarbatttis and Agarbatti powder cleverly concealed behind the declared goods.
     
    In a swift follow up action, the Customs officers searched the office and residential premises of the importer at Banglore and apprehended Bharat H. Shah and Ronik Shah, both of whom had planned the smuggling.
     
    Upon enquiry they revealed they had ordered two more containers from Vietnam, which were in the pipeline. At Chennai port these two containers were identified and searched, again revealing concealed Agarbattis in huge quantity.
     
    The seizures and arrests are part of a nation-wide drive by the Customs to stop the smuggling of Agarbattis, which are on the restricted list of import.
     
    It may be noted that on account of large scale misuse of ASIAN FTAs a review of or complete withdrawal from the FTAs are being demanded by Indian Manufacturers.
     
    Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.
  • Like this story? Get our top stories by email.

    User 

    COMMENTS

    yerramr

    4 days ago

    This is a good work by Customs. Agarbathi manfg is a flourishing MSME and it's time we resort more to RTA instead of FTAs.

    Current Account and Forex Reserve Supporting Indian Rupee: Ind-Ra
    A rise in global uncertainty or geopolitical tensions often leads to capital seeking flight to safety, thereby foreign portfolio investments leaving the shores of emerging markets. COVID-19 also triggered this behaviour, and India witnessed a foreign portfolio investment (FPI) outflow of $16.05 billion in March 2020 and $1.97 billion during April-May 2020. However, unlike the episode of taper tantrum of 2013, the impact of foreign investors pulling their money out of India did not lead to any macroeconomic instability, says a research note.
     
    In the report, India Ratings and Research Pvt Ltd (Ind-Ra) says, "Interestingly, foreign exchange reserves increased to $517.64 billion (foreign currency assets: $477.81 billion) on 17 July 2020 from $476.88 billion ($442.21 billion) at end-March 2020. It is this swelling of foreign exchange reserves that in combination with benign oil prices and tepid imports, leading to a current account surplus, has helped the Indian rupee to remain broadly stable since mid-March 2020, despite deterioration in some of the other macro parameters such as retail inflation, fiscal deficits and negative GDP growth. Ind-Ra estimates the average value of rupee to be Rs75.98 per US dollar in FY20-21 (FY19-20: Rs70.88/US dollar).
     
     
    Surplus in services trade averaged $76.489 billion during FY15-16-FY19-20. 
     
    According to the ratings agency, due to the COVID-19 pandemic, the revenue growth expectations of leading Indian software companies are flat to low single digit for FY20-21. 
     
    Ind-Ra says it expects trade in services to decline 14% in FY20-21 to $73.0 billion. "Transfers or remittances is another big component of invisibles and averaged $65.24 billion during FY15-16-FY19-20. We expect net transfers to decline 25% in FY20-21 to $57.2 billion. According to the World Bank, remittance flows in 2020 are projected to decline across all regions in the world," it added. 
     
    India witnessed a surplus on current account during fourth quarter (4Q) of FY19-20 ($558 million, 0.1% of GDP) after a gap of 51 quarters. The last time India had witnessed a current account surplus was in 4QFY06-07 ($4,223 million). 
     
    Ind-Ra says it expects a current account surplus even in 1QFY20-21, as trade deficit declined to $9.12 billion and surplus in services trade during April-May 2020 was $13.98 billion. However, Ind-Ra estimates the current account to be in deficit of 0.1% of GDP ($3.3 billion) in FY20-21, which will be the lowest current account deficit in the last 16 years.
     
     
    As per the ratings agency, capital account of India has remained in surplus for most of FY2000-01-FY19-20; there have been only three instances (FY08-09, FY11-12 and FY18-19) when inflows in capital account fell short of covering the current account deficit. 
     
    It says, "Net foreign direct investments have been a major and the most stable source of inflows in the capital account. It averaged $35.13 billion as against net average portfolio inflows of $5.23 billion during FY15-16-FY19-20."
     
    "Loans (external assistance, government borrowings and short-term credit) are estimated to increase to $25.9 billion in FY20-21. Ind-Ra expects the capital account inflows to increase to $67.3 billion in FY20-21 (FY19-20: $83.2 billion), leading to $64.0 billion increase in foreign exchange reserves," the ratings agency concludes.
     
  • Like this story? Get our top stories by email.

    User 

    COMMENTS

    Ramesh Popat

    5 days ago

    So good to read some positives after too much bad news!

    We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone