Cyber Security: Is Blockchain the Answer?

Cyber security has long been a serious matter for financial institutions and corporates alike, but fintech and the digital era make cyber security more of an issue. Delivery of products and services through digital channels means that more systems are available to scrutiny by malefactors. The continuing adoption of fintech APIs (by which institutions provide their clients with third party services) and cloud computing may introduce further vulnerabilities. Meanwhile, the growth of the digital economy is also creating a large population of highly trained technologists — potentially creating greater numbers of cyber attackers and cyber thieves.

Cyber threats affect all industries, but financial institutions are particularly at risk, because of the direct financial gain possible from a cyber intrusion. An important question is whether the existing cyber security guidelines issued by various industry organizations will continue to be adequate in the age of fintech and digital financial services.

Fortunately, the evolution of fintech also entails the development of new technologies aimed at creating the next generation of cyber security. A number of startups are beginning to develop applications using semantic analysis and machine learning to tackle KYC, AML and fraud issues. Significantly, IBM Watson and eight universities recently unveiled an initiative aimed at applying artificial intelligence to thwart cyber attacks.

The traditional cyber security paradigm is one of “defense,” and unfortunately defenses can always be breached. Artificial intelligence, as advanced as it is, still represents the traditional cyber security paradigm of “defense,” putting up physical and virtual walls and fortifications to protect against or react to attacks, breaches, and fraud or other financial crime.

What if there were a technology that broke through this “defense” paradigm and instead made cyber security an integral aspect of financial technology?

This is precisely the approach taken to cyber security by blockchain technology.

Bank consortia and startups alike are engaged in efforts to develop distributed ledgers for transfer of value (payments) and for capital markets trading (where the execution of complex financial transactions is done through blockchain-based smart contracts). Accordingly, distributed ledgers and smart contracts are likely to one day have a place in treasury operations, for both payments and trading.

Blockchain is gaining attention primarily because its consensus-based, distributed structure may create new business models within financial services. In addition, though, blockchain technology has at its core encryption technologies that not only keep it secure, but are actually the mechanism by which transactions are completed and recorded. In the case of Bitcoin, blockchain has demonstrated that its encryption technologies are quite secure. The further development of blockchain will necessarily entail significant enhancements in next-generation encryption technologies such as multi-party computation and homomorphic encryption, which are already under development. In other words, blockchain is likely to not only play a role in altering the way payments and capital markets transactions are undertaken, but also in the way next-generation financial systems are secured.

Phishing in India: The onus of prevention now lies with banks

With increasing adoption of internet banking in India, internet frauds including phishing has been on the rise. An April 2010 judgement on a phishing case filed by a victim of phishing against ICICI bank went against the bank. This was a landmark case for many reasons: • This was the first phishing case filed under the relatively new Information Technology Act 2000 (though there are some phishing cases lying with consumer courts across the country) • The adjudicator (Tamil Nadu IT secretary) not only dismissed the bank’s plea of negligence on behalf of the aggrieved customer and ordered the bank to compensate him for the entire loss of money but also chided the bank for its lack of due diligence and even ordered the bank to compensate for the trauma suffered by the customer and his legal and travelling expenses. This judgement clearly puts the onus of prevention of phishing on banks (unless a higher court reverses it) In his judgement, the adjudicator gave the following reasons for favouring the customer: • The bank did not authenticate its email to customers with Digital Signatures (which is against RBI guidelines) • The money was transferred to an account which had been in debit for 2 years and encashed through issuance of self cheques. Failure to identify a major transaction on an overdraft account is evidence of negligence and lack of due diligence by the bank • The bank’s failure to retain CCTV record (as per Know Your Customer norms) is another evidence of negligence by the bank The reasons put forward by the adjudicator clearly highlight the problems with internet banking in India. In spite of RBI rules and guidelines, digital signatures are hardly used, KYC norms are often not adhered to and due diligence and fraud prevention systems are missing in arsenal of Indian banks to fight online fraud. The judgement has thereby been hailed as a wake-up call for the banks. However absolving the customer of all charges of negligence in a phishing case may have wider repercussions. Even if digital signatures are used by a bank in its communication with customers, it is ultimately upon the customer to check for the digital signature each time an email arrives from the bank. If an email comes from a fraudster and the customer does not even check whether it has a digital signature and divulges his login details, then it is negligence on part of the customer. Hence, the solution to phishing is not just better technology and due diligence by banks but better customer education. Just as everyone knows that a signature needs to be authenticated in a paper cheque; similarly everyone needs to know that digital signature needs to be authenticated in electronic communication. This is not an easy task in India, where everyday a large number of people with very basic knowledge of internet are starting to use internet banking. ICICI Bank has runs campaigns through emails to customers, on its website and through large advertisements in major newspaper about the dangers of phishing which explicitly warn customers not to divulge account details in links sent through emails as ICICI would never send such emails. If all liability in case of a phishing loss is transferred to banks, customers will inherently not be careful in their online transactions (the problem of moral hazard). Similarly if banks are not also held responsible for phishing, they will have no incentive to invest in better systems. Hence losses arising out of phishing needs to be shared by both the customer and the bank, depending upon the level of negligence of each.