India Approves WhatsApp Payment Security - Concerns RemainThe Service Offers Two-Factor Authentication
Global messaging app WhatsApp's instant payment service went live in India on Dec.16. But despite its two-factor authentication being accepted by leading banks, there are concerns about potential security issues.
Among the concerns: complying with “know your customer” requirements and register as a payment/money transfer agent with RBI; enabling international transactions on a social media platform; complying with the Reserve Bank of India’s data localization requirements for storing Indian’s data locally to help improve privacy and security; and issues around the interoperability with the UPI platform using APIs and the risk of some using spyware to spy on targeted phases where decrypted messages can be read live or even retrieved.
Sriram Natarajan, president of Quinte Financial Technologies, a global fintech solutions company, says, "WhatsApp, being a social media outlet, will always face tougher scrutiny on security, primarily because social media tools are more focused on user experience and convenience rather than transaction security." He adds that consumers are also more flippant about the way they use social media, versus mobile wallets for payments.
The launch is considered a significant victory for WhatsApp and parent company Facebook, enabling it to expand its footprint in India. China’s WeChat Pay (debuted by Tencent) and Alipay (a product of the Alibaba Group), operating for the last decade, are reportedly targeting India’s smartphone users and trying to make inroads in India. GoJek pay is making waves in the Singapore and Indonesian markets. According to experts, these payment firms are using multifactor authentication tools along with strong IAM solutions to establish user authentication.
WhatsApp Pay’s Two-factor Authentication
The WhatsApp payment service uses the Unified Payments Interface, a real-time payment system, and the framework developed by the National Payments Corporation of India to facilitate peer-to-peer money payment transfers. Plus, using a 4 digit pin as the first level authentication and a second authentication factor, which can be the Aadhaar number - a 12-digit individual identification number, a mobile number, or a virtual payments address.
Whatsapp Pay works with India's five leading banks: ICICI Bank, HDFC Bank, Axis Bank, State Bank of India, and Jio Payments Bank, and this access, coupled with the increase in phishing attacks on digital payments, makes it a target for criminals, despite using 2FA.
Dr. N Rajendran, former chief technology officer at NPCI, says the authentication mechanism for the new WhatsApp service is similar to the verification required on Google Tez, allowing users to send money to anyone with a bank account even if they don't have their app on their smartphone.
At the back end, Rajendran says, banks must connect to NPCI's UPI using their payment service provider system, which will interface with the banks' core banking systems, banks' customers, authentication systems, and fraud and risk management systems. Banks can integrate UPI with their mobile banking system if they have one.
Securing WhatsApp Pay
Jordan McKee, an analyst with 451 Research who studies payments, noted that NPCI limited should test the company's security policies and procedures before letting it expand any further.
"Given the regulatory concerns WhatsApp has faced on its path to going live with a payment service in India, it can be expected that its operations and data privacy practices will be examined under a microscope after launch," McKee tells Information Security Media Group. "NPCI is taking a cautious approach, given WhatsApp will be limited to 20 million payment users to start. To earn the trust of the Indian market, Facebook has its work cut out to demonstrate its commitment to privacy and data security."
Natarajan says the biggest challenge is going to be consumer trust and consequent adoption. While WhatsApp may seem convenient, they have to build a vital element of trust among users as Indian customers are skeptical about using mobile wallets.
To comply with RBI’s ‘know your customer’ norms, Natarajan says the Whatsapp Pay users can now avail RBIs video-based customer identification process for onboarding, along with Aadhaar-based verification for establishing user authentication, says Natarajan.
Another risk with WhatsApp will arise in terms of interoperability with the UPI platform if the API interface is not healthy, says Satyavathi Divadari, chief cybersecurity architect and principal partner advisor-security, risk and governance, Microfocus. The two-factor authentication is not enough in this kind of transaction. These are prone to data leaks, she adds.
Divadari says WhatsApp needs to build APIs and deploy appropriate security controls, encryption tools, and third-party risk evaluation mechanisms to prevent data leakage during the transaction for secure payment.
Evaluating encrypted tools and API documentation between the app provider, payment gateways, and banks is critical, says Divadari.
"UPI is a transformative service, and we jointly have the opportunity to bring the benefits of our digital economy and financial inclusion to a large number of users who have not had full access to them before," Abhijit Bose, head of WhatsApp, India, said during the Facebook 'Fuel for India' virtual event, IANS media reports.
For banks, the WhatsApp system's most significant benefit is single-click two-factor authentication for subsequent transactions along with a universal application for transactions that leverage existing infrastructure, Rajendran says. WhatsApp says the service is designed with strong security and privacy principles, including entering a personal UPI PIN for each payment.
On a positive note for What'sApp, the NPCI, in a letter dated June 5, 2020, informed RBI that it "confirms" WhatsApp has now satisfied data-localization norms for payments service, the Times of India reports.