Don’t Go By What Mr Gandhi Says, Here’s How Your Money And Transactions On The Web Are Protected

Last night, Congress vice-president Rahul Gandhi’s twitter account was allegedly hacked, and this morning, the Indian National Congress’ official twitter account was supposed to be hacked too.

Many Congress supporters used this to attack the idea of a digital and cashless economy as well as the Prime Minister’s Digital India programme. Rahul Gandhi himself told reporters that this incident posed a huge question mark on digital security, stressing on the fact that his account was verified.

However, all of them are wrong, on many accounts. To begin with, Twitter’s servers are based out of the United States, and since no other account was reported hacked, this cannot be a major security breach. Further, this is not indicative of anything related to Digital India or a Cashless Economy. Those transactions have their own security.

Two-factor authentication

Two-factor authentication (2FA) was mandated for card-based transactions by the Reserve Bank of India (RBI) under the Payments and Settlements Act (PASA) of 2007. It requires that all card-based transactions proceed only with an additional layer of security. For card payments that are done using a swiping machine, a PIN has to be entered on the machine, failing which the transaction cannot go forward. In the case of ‘card-not-present’ (CNP) transactions such as online payments, the second factor authentication is either a PIN or a One-Time-Password (OTP) generated and sent to the customer’s registered phone number.

This second factor makes digital card-based transactions more secure, and less susceptible to theft. In 2014, the RBI had asked Uber to stop processing its payments abroad and ensure that 2FA was applied on transactions. Uber replied, stating that it would comply with the RBI directive, but at the cost of inconveniencing its passengers.

2FA is largely dependent on the 3-D secure system. The 3-D secure system, known commonly as verified by Visa or MasterCard SecureCode, operates across three domains or levels:

• Issuer Domain: Whoever issued the card.
• Acquirer Domain: Whoever is being paid.
• Interoperability Domain: The network being used; Visa or MasterCard.

Thus, during any transaction, the intermediate step after the user enters their card details takes them to the bank website where the user’s identity can be confirmed.

In the case of bank transactions, most banks require that the user sets separate passwords for operating the account, and to transact money. Some banks, such as ICICI provide a grid on the reverse of a Debit Card and require the user to enter specific numbers from behind the grid. Apart from this step, an OTP is sent to the mobile number.

Payments made via the Unified Payment Interface (UPI) require an M-PIN to be used, while platforms go an extra level requiring fingerprint-based authentication (using Apple Pay on an iPhone).

All transactions are done over secure internet connections using HTTPS and SSL, making it significantly difficult for anyone to intercept data being sent across platforms. 2FA allows for some safety even if the card or phone is stolen. In 2016, a senior official at MasterCard had stated that Indian regulators had done a good job in ensuring safety for digital transactions.

HTTPS

The Hypertext Transfer Protocal (HTTP) is used by websites to distribute their content. HTTPS is a protocol that does the same, except it uses a Secure Sockets Layer (SSL) to secure the communication between the server and the user by providing a secure channel and a more secure port. HTTPS ensures that no data is transferred if a secure channel is not available.

SSL works using the SSL session and the SSL connection:

• Connection: A logical link between the server and the user that provides a suitable type of service. The connections are transient and each connection is associated with one session.
• Session: An association between the user and server. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each new connection.

HTTPS requires that a website has a certificate issued to show that it is secure. The Transport Layer Security typically uses long-term public and private keys to generate a short-term session key, which is then used to encrypt the data flow between the user and server. Thus, HTTPS makes it difficult to intercept or intervene in a connection, and when combined with 2FA, financial security is safe. Banks ensure that if a user forgets their credentials to authorise a transaction, there are multiple steps in order to recover access, thereby making it difficult for someone else to get access to an account. This makes it safer than cash which can be stolen by simpler methods such as mugging someone who has money with them. Almost all major websites today use HTTPS, including Google, Facebook and Twitter, to protect their users.

In the case of Gandhi and the Congress, the alleged breach was caused after someone reportedly got access to their email address.

Every Indian transacting online is covered under the same amount of security, which by its setup, is indeed more secure than a Twitter password.