Our recommendations on Draft IT (Security of Prepaid Payment Instruments) Rules 2017

IILF’s Recommendations on Draft IT (Security of Prepaid Payment Instruments) Rules 2017

The Rules in the current form do not address security issues faced by the public at large. That if the same are not dealt with sternly, critical data of users is vulnerable to hacking. Please note the following recommendations:-

1. All Mobile Wallet Applications (Apps) have access to read SMS of the User for the purposes of OTP. Although a message is sent from every bank stating “Please do not share this OTP with anyone”. The Mobile applications have encrypted through SMS and can read the OTP few seconds before it reaches the User’s Mobile Phone. It auto-detects the OTP and does not allow the user to enter the OTP, rather automatically enters the OTP before executing the transaction. A similar format could be found on Freecharge, PayTM and all other Bank Apps. That a virus in the mobile is sufficient to trace all the banking credentials including OTP become vulnerable to threats. Therefore, a change in the security format is required and protection of banking credentials/OTP from these applications is the need of the hour. That no Mobile Application should be allowed to read the SMS and OTP of any Mobile Phone.
2. That Mobile Wallets and other E-Commerce Applications such as AliExpress, Flipkart, Snapdeal, Grofers, etc all provide the option to store your card number, Bank Details, etc on their website. That no such option should be provided on any website. An option to provide storage of cards and net banking information can lead to divulging of information, if the website is hacked or otherwise used without consent. That we have encountered issues from our clients wherein, FreeCharge, Uber, etc have stored Netbanking information of a client without providing an option to delete such information. That storing information without consent of the User and not providing an option to delete should be made punishable. That if these bank details are hacked, the Mobile Wallet Applications and E-Commerce Applications should be held responsible and indemnify the User.
3. That browsers such as Gmail and Mozilla Firefox provide option to store cards, once the card information is entered, including storing your expiry date, etc. That such details are being read by the browsers since the e-commerce websites are not secure and further banks are not secure. That web browsers getting access to the information would mean that
4. That a liability must be created upon the E-Commerce Websites/ Applications accepting payment online to safeguard their website and applications from hackers, failing which the Websites/ Apps shall make the Apps vicariously liable to reimburse the amount credited wrongly from out of the User.