Even as the Narendra Modi government is promoting digital payments in a move towards a ‘less cash’ economy, the country’s premier cyber security agency CERT-IN (Computer Emergency Response Team) has warned that all is not well with digital mode of payments and it could be vulnerable to cyber attack. 

In its advisory, CERT-IN has warned that even “the safest” mode of digital transactions through SMS-based OTPs (one time password) and biometric based authentications (mainly for digital transactions through Aadhaar card) could be vulnerable to cyber attack. 

In its recent advisory, the country’s nodal agency which mainly deals with cyber security threats and strengthens security-related defence of the Indian Internet domain, has told people to take extra security measures while using SMS-based OTPs and biometric authentications. 

CERT-IN said sometimes SMS-based OTP might also get hacked along the path between the sender and receiver. It suggested end­to-end encryption for the SMS through OTP and told service providers to explore separate dedicated SMS OTP channel. 

On the use of biometric authentication for digital payment, the agency said it should be protected with highest standard of security mechanism. "Biometric based authentications provide different kind of vulnerabilities. It is possible to lift the latent finger print with advanced technology and specialised chemicals. Though it is difficult, it is possible to intercept the biometric details like finger print,” the advisory said. 

To prevent such attacks, biometric data should be encrypted immediately at the time of capture on the capturing device, it suggested. “The biometric data collected must not be stored in the device or log files,” the agency said, asking people to use additional mode of security, including PIN and OTPs along with biometric data to secure transactions. 

The agency has also advised people to be extra cautious with old ways of cyber attacks including phishing, vishing and spoofing. While phishing is an old fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, vishing is rather new in practice and  is used to cheat people  by making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers. 

Spoofing is also an old way of cheating in which communication is sent from an unknown source disguised as a source known to the receiver. Spoofing is most prevalent in communication mechanisms that lack a high level of security.