Tag Archives: rbi

How A Search For “Free Netflix Trial” Led Me To Uncover A Fintech Fraud

 

fintech compliance, RBI Notice #paytm #compliance #fintech

 

This article reminds me of an incident from my past life. I used to work for a Fintech company that was also into PrePaid Instrument wallets, powering one of the biggest utility service providers in India.

One day while doing an Attack Surface Management exercise, something strange happened. I noticed that our company name was quite popular on Youtube and associated hashtags were “free Netflix trial”, #freenetflix. This was around the time Netflix had entered India.

Attack Surface Management (ASM) is basically trying to find out all the references and entry points into an organisation’s servers / apps/ IPs on the web. This is done by doing deep searches using google dorks, dark web/deep web in both manual and automated ways. Nowadays, there are third-party companies that specialise in these.

Trivia: Interestingly, Cyber Insurance companies also use these ASM techniques to understand more about their clients digital footprint, exposure etc., and use it for calculating Cyber Insurance Premiums.

Curious, I dug deeper and found out a youtube video where an influencer had put up a tutorial on how one could easily create a virtual prepaid card in our platform, loading it for INR 2/- and then use that for Netflix trial for about a month and then recycle the whole process. I figured out that:

They were using the same Driving License (DL) numbers and sometimes recycling DL numbers by appending a digit. Since, in Minimum KYCs only numbers and some basic details like name and etc were collected, usually without any kind of photocopy of the documents. I believe this process has improved now (?).

I took those details and with the help of the internal teams, started researching more about those DL numbers. Turns out there were close to a few hundred accounts associated with that single number. Ideally, the systems should have flagged and blocked subsequent wallet creation using the same ID numbers. Somehow it was failing.

rbi non compliance

We looped in Compliance, FRM and legal. Such accounts with dubious credentials were invalidated and we started rolling out additional controls.

It was trivial to use the same numbers, unless there was a robust mechanism that checked the Document ID numbers and the associated identifiers like Mobile number, names etc.

Though I was in cybersecurity, this was my first brush with fighting digital fraud.

In another incident, fraudsters had cloned our fintech app and we had to loop in our legal teams to send a Trademark infringement to the AppStore to get this fake loan app removed.

In security we analyse the Tactics, Techniques and Procedures (TTPs) that are used commonly by the hackers. This helps us security teams in detecting and mitigating attacks by understanding the way threat actors operate.

Adapting a similar approach of examining the tactics, techniques, and procedures used by fraudsters will provide valuable insights into their behaviour and motives. With this understanding, the Fintechs and FIIs can help develop effective countermeasures. A good start would be documenting all the counter-fraud use-cases !

A key takeaway or a piece of advice to all the fintechs is to build a comprehensive list of use-cases proactively, and have them tested thoroughly. You can take help from your InfoSec teams in building these use-cases!

What do you say ?

#DigitalFraudPrevention #fintech #fintechfraud #search #attacksurface #TTPs #Tactics #Techniques #Procedures #usecase #ThreatActorAnalysis #frauddetection

Fighting Fraud Loan Apps with PKI

Fintech loan app scams

Rise of Fraudulent Loan Apps During Covid

In the aftermath of the Covid-19 pandemic from 2020 and its subsequent decline, there has been a notable surge in fraud cases, particularly revolving around counterfeit fintech apps offering loans. Individuals unsuspectingly downloading these deceptive loan apps are not only falling victim to steep interest rates but also compromising personal data such as photos and contacts. There have been following media reports where some have even committed suicide:

News report on Fake Loan Apps

This has escalated into a relentless cat-and-mouse game, with the odds heavily favouring fraudsters. I have closely followed some great work done by folks like Babu Lal in getting these fake loan apps removed from the playstores:

Babu Lal fighting against fake loan apps

Regulatory bodies are deflecting responsibility onto Play Stores, but I think that addressing this issue requires a collaborative effort between the Reserve Bank of India (RBI), Non-Banking Financial Corporations (NBFCs), and Play Stores operated by industry giants like Google and Apple.

Play Stores employ a gating check for allowing fintech apps, which involves verifying the NBFC certificate issued by the RBI. This certificate is essentially a copy of the physical document provided by the RBI to NBFCs/Banks/Financial Instituitions.

What has come to my attention, through both extensive reading of various reports and first-hand encounters with similar incidents, is that:

Fraudsters are Fabricating copies of the RBI-issued NBFC certificates.

These fabricated copies are then submitted to Play Stores along with the mobile app applications. It’s essential to note that sharing this NBFC certificate is mandatory for apps to be categorised as financial apps.

In the case we encountered, it took a significant amount of time to get the fake app removed from the playstore. This was an OEM playstore and not the regular Google or Apple owned.  The resolution ultimately necessitated pursuing the trademark infringement route.

The Solution:

One of the ways I thought this could be curbed or to an extent limited is by making use of Public Key Infrastructure (PKI) setup with Digitally Signed Certificates + Encryption and using the good old PGP/GPG tools. PGP stands for Pretty Good Privacy and originally developed by Phil Zimmermann in 1991 as a proprietary software. While GNU Privacy Guard (GPG) was developed as an open-source alternative to PGP. GPG is essentially PGP with an open-source licence.Yeah, it’s free and has no impact monetarily on the smaller banks and financial institutions for easy adoption. Only a small learning curve in the beginning on usage of GPG, but it’s better than losing money.

The goal is to establish a robust system that ensures the integrity of certificates and prevents the submission of falsified documents to Play Stores, thereby mitigating financial losses and data leaks.

Using PKI for leveraging a Web of Trust already in place

In the context of multiple stakeholders, this proposed solution aligns with the shared responsibility among Apple, Google, RBI, and NBFCs in addressing the rise of fraudulent fintech apps. Here’s a breakdown of the proposal:

1. Establish Dedicated Email Addresses and Publish Public Keys:

– All involved parties would create dedicated email addresses and publish their public keys into a Key Server. This ensures a secure and standardised communication channel.

2. RBI Digitally Signs Certificates for NBFCs:

– The RBI would be responsible for digitally signing certificates in the names of respective NBFCs, establishing a secure and verifiable authentication process.

3. Optional Encryption of Certificates for NBFCs:

– As an additional layer of security, the RBI could choose to encrypt these certificates with the respective NBFCs’ public keys while transmitting them, preventing potential Man-in-the-Middle (MITM) attacks. The reason to make this optional is, there are situations these certificates are attached when interacting with regulators.

4. NBFCs/Fintechs Decrypt and Use Certificates:

– NBFCs and Fintechs would then decrypt these certificates using their private keys and utilise them for their intended purposes.

5. NBFCs/Fintechs Sign and Encrypt Certificates for Playstores:

– NBFCs and Fintechs, having used the certificates, would digitally sign them and encrypt them with Google’s public keys as part of the Mobile App application form.

6. Playstore Teams Validate and Approve Apps:

– Playstore teams can efficiently validate these digitally signed and encrypted certificates, facilitating a streamlined approval process. Automation could be implemented given the inherent security of digital signatures.

7. Preventing Submission of Fake Documents:

– The proposed system effectively prevents the submission of fraudulent documents, such as copies of physical certificates, by ensuring the authenticity and integrity of digital certificates.

I couldn’t think of any loopholes except for the fact that commercial viability of PGP seems to have taken a severe beating. But there is good old GPG software to the rescue. While there has been similar implementation using Blockchain, the biggest hurdle I anticipate is the adoption with the NBFCs and other Financial Institutions that may not be tech-savvy.

The onus of keeping the RBI provided Certificates will be on the NBFCs and they can be revoked by RBI if in case they are leaked.

This is just a high level idea and can be further customised to handle the technical challenges and as reiterated earlier, this is a:

Shared Responsibility between the Regulator: RBI & Others, Playstore: Google, Apple & other Playstores, and NBFC/Fintechs/FIIs/Banks.

Opening this to scrutiny by peers. Please let me know what you think..

Reserve Bank of India (RBI) Google Apple

#fraudapps #fraudloanapps #loanappscams #loansharks #onlineloan #instantloan #loanpps #fintechfrauds

Digital Lending Guidelines Quick Overview

Concerned with increasing frauds and issues in the digital lending space, India’s central bank – Reserve Bank of India (RBI) had released digital lending guidelines sometime late last year covering various aspects. These are targeted for Banks, Non Banking Financial Companies (NBFC), Co-operative banks and other financial institutions.

It focuses on digital aspects around various areas like Technology standards, Privacy policy, Grievance redressal, Loan disbursal, servicing, repayment

Here is a quick overview of the digital lending guidelines, If you seek any guidance on this topic, please do not hesitate to get in touch with me here:

India Digital Lending Guidelines

Fintech Security & Compliance — Part 1

Fintech Security & Compliance — Part 1

image created using wordclouds

Fintech is one of the most happening sectors in India & world over with a wide array of services being delivered in lending, insurance, payments, stocks and mutual funds. While founders, product and engineering managers are busy in building the products and delivering them to the people in a rapid and scalable way, there is one huge challenge they must overcome. And that’s the Cyber Security aspect of it. I have had the opportunity to architect and implement controls around these requirements in the last few years and would like to share some thoughts here.

In India, Fintech regulators are:

  • Securities & Exchange Board of India (SEBI)
  • Reserve Bank of India (RBI)
  • Insurance Regulatory and Development Authority of India (IRDAI)

Each of these regulators have their own cybersecurity requirements and these span across multiple domains of cybersecurity like IT Governance, Information Security Audits (IS Audits), IT Outsourcing, IT Risk Management, Business Continuity Management (Good luck on a single region currently offered by the leading cloud vendor in India 🙂 ), Policies, Physical & Environment Security and etc

Apart from these, compliance with PCI DSS/PA DSS is a common requirement for all the fintechs handling credit card transactions. When it comes to PCI DSS, the magnitude of security requirements vary based on the volume of transactions. There are Four Merchant levels starting with Level 4 wherein a merchant handles 20,000 plus transactions and compliance requires that you fill a Self Assessment Questionnaire to Level 1 where 6 million plus transactions are handled annually. Level 2 and 1 have very comprehensive requirements to fulfil and are audited by a third-party.

Not all the Fintechs have the license to operate independently and they leverage the agreements with Banks/Financial institutions to offer the services. It would be surprising to know that banks themselves can offer most of the services which fintechs are offering. The key underlying factor here is Technology, which perhaps banks are yet to come to terms with. When it comes to security requirements and compliances, banks pass on these to the partnering fintechs. So multiple audits in a year are not unheard of in the fintech space.

RBI has Master Directions for entities operating in the banking/non-banking space covering Lending, Loans, Prepaid Payment Instruments, Non-Banking Finance Company (NBFC), Peer to Peer Lending companies, Full fledged banks, Payments Banks and so on.

IRDA has two two major cyber security requirements and one of them is meant exclusively for insurance offered on e-com channels like web/mobile/app channels called ISNP — Insurance Self Networking Platform. As most of the new-age insurance companies are ecom based, they are forced to comply with both (there is some overhead here).

IRDA’s requirement has a cybersecurity checklist with 307 controls and also mandates a Chief Information Security Officer (CISO) to be appointed by the insurance company! While these may be easier to implement for a legacy company with the monolithic architecture, startups usually find these difficult and herein lies the challenge.

SEBI’s framework for Stock Brokers and Depository participants is published here — What I found cool about SEBI’s directives on Cyber Security in comparison to RBI and IRDA is its forward looking approach and in sync with current demands and realities. For example they suggest using Bcrypt / PDKDF2 for hashing passwords, usage of passphrases vs complex passwords:

Also has a reference to Crypto Shredding, must confess I did not know such a terminology existed:

It makes me wonder if the major innovations in the fintech space in India is in the segment operated by the SEBI for reasons like these.

I am thinking of writing in detail about the challenges in complying with the security directives by the regulators in coming writeups but for now will focus on what this augurs for cybersecurity professionals in startups/fintechs.

There is going to be a huge demand for not just Developers, Product Managers, Architects, Data Scientists, but also Cyber Security professionals. When I say Cyber Security, it does not just limit to Pentesters / AppSec / Network / Cloud Security professionals. I see a demand for Data Privacy, Compliance and Legal folks who can understand, interpret complex regulations from the Regulators like RBI, SEBI & IRDA and help implement them in a creative, scalable and rapid way. I am currently working for an emerging Fintech company and a good chunk of my time is spent with the Legal team apart from the engineering folks in interpreting and helping fit newer technologies and controls around regulations, compliances, working on contracts, assessments, Third Party Risk management and etc

As a cyber security professional, I wouldn’t have expected to work this closely with the legal team, but no complaints and am beginning to see things from multiple perspectives! Remember that most startups live by the mantra:

“It is better to ask for forgiveness than permission”

At the end of the day, it’s all about solving problems.

If you have any questions, comments, feel free to post them here and I will try to answer them.

#fintech #cybersecurity #fintechsecurity #RBI #SEBI #IRDA #PCIDSS