New Delhi: The National Payments Corporation of India (NPCI) that operates the RuPay card network and other payment infrastructure, had over 40 cybersecurity vulnerabilities, including storing sensitive user information in plain text, making it easy for hackers to access.
The findings, some of which were described as “critical” and “high” risk vulnerabilities, were reported in a four-month government audit that ended in February 2019, according to a Reuters report.
The news report, published on 30 July, was based on an “internal government document” accessed by Reuters.
NPCI, which Reuters referred to as ‘India’s flagship payments processor’, is a not-for-profit entity created by the Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) to improve infrastructure for payments and settlements, especially with the use of technology. The RuPay card network, which NCPI operates and is endorsed by Prime Minister Narendra Modi, reportedly claims to have over 500 million users and competes with the likes of Mastercard and Visa.
Also read: UPI’s rapid growth proves India can build world-class payments infrastructure from scratch
Problems within NPCI
A key vulnerability the Reuters report pointed out is that NPCI had not encrypted the personal data of users. The government audit, issued in March 2019, indicated that the 16-digit numbers on credit/debit cards, personal information such as name, account number, and national identity number were in “some” databases stored in “plain text”. Plain text is a computer format that isn’t in code, and as such, can be read by any person with access to it.
So if a hacker had accessed the NPCI databases of user information, it would have been very easy to collect and exploit data.
According to Reuters, NPCI processes “billions of dollars daily” through services like inter-bank fund transfers, ATM transactions and online payments.
The body had told the news agency in a statement that NPCI is “regularly” audited for security reasons, and that senior management looks at “all findings”. These findings are then “remediated to (the) satisfaction of the auditors”, it said, according to the news report.
National Cyber Security Coordinator Rajesh Pant told Reuters that “all observations raised in last year’s report have been confirmed as resolved by the NPCI”. The audit was coordinated by Pant’s office.
While the government audit had recommended that sensitive and personal data be “properly encrypted/masked in the database and logs”, the audit had noted other vulnerabilities.
These included a ‘buffer overflow’ — an issue that could let hackers exploit flaws in coding — along with NPCI’s operating system not being up to date and a mail server having insufficient anti-malware functionality.
Also read: No data breach in BHIM, says national payments body after web sleuths claim lakhs ‘exposed’