Rouge apps can spoil the digital payment landscape: Kartik Shahani, RSA India

Recently Dataquest had a conversation with Kartik Shahani, Managing Director India/SAARC – RSA, on the sidelines of growing security challenges in India as the digitalization drive has picked up momentum with demonetization. Excerpts:

How is RSA operating after the Dell acquisition? Is there any ground level change?

No changes at all. We used to report into EMC from RSA’s perspective. We were a business unit of EMC, but a very independent business. Our operation was almost as independent as probably VMware or Pivotal - which are slightly different from the core business of EMC. However, we were very important to the EMC business because in a large deal we would become the differentiator as against any other contender e.g.: Hitachi, Netapp, even HP, that wouldn’t have the security stack required for the entire bid specifically in the govt tenders or a very big tender. It used to work really well for us. EMC used to provide access into those accounts for which they had a very large deployment. So our technology goes very well when you have a replication taking place between DC and DR. Now, with Dell acquisition we are not reporting into EMC anymore. We now report directly and are another business unit of Dell. So instead of being a business unit of EMC, we are a business unit of Dell.

What sort of opportunities does RSA see in the security space specifically after the demonetization move where India is witnessing an upward surge in cashless transactions?

The current landscape is outlined with 60% of the population residing in rural and 40% in urban areas. The 40% urban population has so far been addressed by the banks. The remaining 60% population living in rural parts has not been addressed by the banking system. The government has been very keen on bringing those people into the banking system. This is the reason why the govt began the Jan Dhan scheme. In the scheme, many accounts were opened. But it did not result immediately into frequent transactions. With demonetization what has happened is that those who were brought into the financial fold are back into focus. The move has somehow pushed forward the digital drive.

Secondly no bank wanted to go into the rural space because there is no money so they kept on focusing on the urban side. With demonetization, in one shot they have opened a massive opportunity for the banking industry to be able to provide services to the people and get these 60% into the real financial inclusion that was envisaged. Now we have both the rural and urban and we have enough money, enough products enough to help the end user. Next question is what are the challenges? Now the biggest challenge is how do you get someone who has now become a part of the system to start using that system. However, changing behavior overnight is going to be a challenge.

You need a sudden shock to let people know that they don’t have any option but to do this. People have to be forced after some time. But we have seen it in many countries, including Singapore where people were forced to do things. I think it’s the circumstances which will now force people to use digital payments. They initially won’t like it as someone is pulling them out of their comfort zone but that’s what is really going to help.

For banks, scalability is going to be an issue. Overnight their systems were failing after many people turned to cashless transactions at the retail stores.

Post the note ban, hackers are having a feast as they are exploiting vulnerabilities in many e-wallets such as PayTM and MobikWik, etc. How can these things be stopped? What sort of security measures can be taken by the wallet players immediately to safeguard their platforms?

First of all, let’s try and differentiate between a wallet and a card transaction. If we look at both in terms of transaction, they are quiet similar. The technology, security measures everything is similar. However, there is one massive difference between the two and that is 'you can't control the end user in a wallet'. For a banking site, you have to log into the banking portal, authenticate yourself and then can use the services. Plus, rouge apps are spoiling the sport. Users are getting cheated. The apps look very much like the original apps. If you download a rogue app, the bank or the merchant or whoever is providing the service cannot have any control on it. This malware is going to redirect users to a hacker. The biggest problem is, who is going to be able to authenticate whether the wallet app is good or bad. At RSA we are doing it. We have a thing called rogue app detection, which informs our customers who have taken our services. We bring down those sites. The problem is that every day there is going to be a new such app. There will always be some gap between the time it's detected as well as removed and the next one crops up.

A number of Indian banks faced challenges with their mobile apps as fraudsters exploited the loopholes in them to steal money. What is the best way to address these things? How can banks bring these incidents down?

At the end of the day we have this belief called the gap of grief. And this gap of grief is the fact that the problem is no longer related to the security technology. It has transitioned into a business problem. Because of a technical snags, the banks are losing money. This is forcing banks to look for a solution to address the business problem. In this way, it is the business which is looking for a security solution and not the security solution which is looking for a business. At RSA, we believe that business drives security. All the security that exists in an organization is business-driven security. No security company can provide solutions for the entire organization. We try to address the business problems. Organizations identify their issues and hence look out for solutions.

Do you think the RBI directive to all banks to report the security incidents immediately will help the banking ecosystem?

Absolutely. Not only that, it is also helpful from a risk analysis perspective. It would be easy to find out how often cyber attacks are happening, how common they are, how many people are getting affected due to them and at what speed the attacks are taking place. This will not only help the RBI and the affected banks but other banks to understand what sort of metrics are becoming the gateway to such attacks.