Weakest link in the Digital Payment System security is with the Mobile Operator

The Government of India is placing a huge reliance on Aadhaar for all forms of KYC. In the coming days, the Aadhaar Enabled Payment System (AEPS) will also be introduced where the biometric of the Aadhaar owner will be used to trigger a financial transaction like the UPI/BHIM application that may be used to send or receive money from another UPI account. It is said that this will be a “PIN Less” and “OTP Less System”.

What this means is that as soon as the application is triggered with a fund transfer request and the biometric of the aadhaar owner is provided to the UPI application, the payment will be completed without a second reference to the account holder. It will be like a “Single Click Payment System”.

There is no doubt that from the user perspective the AEPS will be a very convenient system and particularly for the less educated persons, it appears to be an excellent system. However, one should not forget that in the financial transactions, “Convenience” is only one of the aspects of the transactions and “Security” is another important aspect that needs to be taken care of in any digital payment system.

It is to be reiterated that the systems being introduced by the Government expose the public to risks that are being ignored by the Government and its advisors.

Presently, Aadhaar has introduced a system where by the “Biometric” can be “locked”. ¬†When the biometric is locked, the system may generate an OTP for unlocking. Alternatively, the aadhaar holder has to go to the website and unlock the biometric which again can be done by an OTP. While this is touted to be a security feature that will prevent misuse of an aadhaar number, it must be recognized that the locking and unlocking is only linked to the OTP sent to the registered mobile and hence if a fraudster can get hold of a duplicate SIM, he can over come the locking security.

Thus in many ways, the OTP becomes the determining factor to secure a digital transaction. The security of OTP is directly related to the KYC system adopted by a mobile service provider particularly when a SIM is reported lost and a replacement is sought.

Recently, the Supreme Court has suggested that every Aadhaar number may be linked to a mobile again thinking that this would secure the system.

If for any reason this mobile OTP becomes the norm, then there is a need to ensure that this system is hardened by

a) Sending OTP by encrypted message

b) Increasing the complexity of OTP from a 4 digit numerical to atleast 6 digit numerical and if possible a combination of letters and numbers

c) Using voice based OTP delivery instead of a text based delivery

d) Return OTP also to be encrypted

e) OTP on either side to be sent and received with a digital signature which is both secure and also cyber law compliant.

While I donot expect many operators to become cyber law compliant and use digital signatures on mobile, encryption can be adopted without much of difficulty. However there needs to be a secure key management system to ensure that the security is difficult to be breached.

I hope the authorities including the implementers of the  Watal Committee recommendations will consider appropriate measures to take steps to harden the security of the OTP system which has already been degraded by NIST in USA but continue to be used in India.

I presume that the mobile operators also realize their responsibility in exercising care in obtaining KYC of their customers both when new SIM cards are issued and when lost SIM cards are replaced.

The irony of the current system is that the mobile operator may use an aadhaar as KYC for issue of SIM cards while the Aadhaar uses the OTP on the SIM card for issue locking and unlocking biomeric or for issue of e-aadhaar. This circular authentication is not the ideal security support and it becomes more or less a “Single Factor” authentication system. There is therefore a need to think of alternate measures to break this “Circular authentication system”.



Tamil Nadu breathes again

For the last few days, the fight for the CMs chair launched by Ms Sasikala Natarajan (VKS) against Mr O Panneerselvam (OPS) had reached a crescendo with the MLAs supposedly supporting her being held at a resort. The MLAs were not allowed any interaction with the outside world and had even been cut off from TV, News Paper and Internet. A few MLAs from this group ran out of captivity and joined Mr OPS camp confirming that they had been held against their will by VKS. This was a complaint of a cognizable offence which the Police ignored to take notice. Even when the Court asked for a report, Police were only able to report that 119 MLAs had confirmed that they were staying at their own will and not forcibly held captive. However there were at least about 124 MLAs at that time in the resort and why Police could not meet the other 5 MLAs was not known.

Today, the Supreme Court judgement held that Ms VSK is guilty in the Disproportionate Asset (DA) Case and has to undergo 4 years of imprisonment. This effectively made her ineligible for being elected as CM. The VSK camp has now elected an alternate person and still claiming the CM’s post. However OPS who is the care taker CM continues to make his claim that majority of MLAs will support him if there is a proper test of strength.

It is creditable that the Supreme Court which took more than 8 months to come out with its judgement to reverse the previous judgement of Karnataka High Court (Judge: MR Kumaraswamy, since retired) came out with a massive 570 page judgement (Copy of Judgement available here) upholding the trial court judgement. The judgement of the Karantaka High Court was a blatantly erroneous judgement which said “Accused are guilty of disproportionate asset but if we add the value of all the assets, the excess of assets over known source of income is only Rs 2.82 crores which is less than 10% of the known sources and hence does not warrant punishment”.

In arriving at this total of Rs 2.82 crores, the Judge had made a totalling mistake which was in the same judgement copy and hence his conclusion was comical. The correct addition would increase the value of excess assets to over Rs 15 crores. Hence the judgement could have been over turned at a glance as something which prima facie was erroneous and in fact suggested some malafide inference on the part of the soon to retire Judge.

Now the Supreme Court has arrived at the disproportionate assets could be around 211% and that is the order of the error that the Karnataka High Court judge committed and based on which acquitted the accused.

However the erroneous judgement gave enough room for J Jayalalitha to spend her last days as the CM and the justice has now caught up with the co-accused.

At last the truth has prevailed.

Though this case has no relation to the Cyber Law issues that we normally discuss here, as a person who spent over 25 years in Tamil Nadu, the undersigned was unhappy with the state of affairs prevailing in the State and hence this judgement now comes as a great relief.

I now wish that Governance returns to Tamil Nadu and OPS would be allowed to run his Government without the VSK camp creating more hurdles. If however, VSK camp decides to continue its fight, DMK will become the largest party in the Assembly but in a situation where no body will be able to claim majority. Then we may see President Rule in the State.

I hope Mr OPS will not be content at getting back his CM chair but order a proper probe into the mystery around the death of Ms Jayalalitha. This will bring out the fraudulent use of the concept of “Privacy of Health Information” by Apollo Hospital authorities and peopel sorrounding Ms Sasikala. This is important from the point of view of defining the “Rights of the Kith and Kin as well as the general public” to know the health information of an individual in certain circumstances. Proper checks and balances will have to be codified into the new law on Health Care Data Security and Privacy which the Central Government is in the process of writing. (See www.hdpsa.in).

I also wish that the Supreme Court/Constitution will in future not allow a non member of a house to be appointed as a CM/PM and make it mandatory that a leader of legislatory party should also be a member. This will prevent some of the anomalies which we see in such circumstances. The present system of “I have the letter of support and therefore I am the CM” situation should go. The “Composite Confidence vote” could be made mandatory in all such cases rather than calling the person with the largest number of supporters to be sworn in immediately as it is being suggested now as a constitutional requirement.

Tamil Nadu should also ensure that its police force is not overtly political as it is at present where it some times appears to blindly support the ruling dispensation as was the case in the recent months.

I also wish that Supreme Court censures the high court judge who gave out the erroneous judgement which was not an error of judgement on any point of law or even facts. It was an error of arithmetic totalling of a few figures which should have been corrected much earlier and probably by a suo moto action by Karnataka High Court itself without a need for the appeal. If it was not for the persistence of Mr B.V. Acharya the public prosecutor, the Karnataka Government could have even failed to appeal the erroneous judgement in which case the truth would have been buried for ever.

Let’s wait and watch how things turn out.