NEW DELHI — Minutes after Indian Prime Minister Narendra Modi began an ambitious new mobile-phone-payment application in December, several clones of the app popped up at Android smartphone stores. In the first few days, users were flooded with spam requests for money.
The Bhim app sponsored by the government was rushed out after Modi’s abrupt withdrawal of large currency bills two months ago. More than 10 million people downloaded it in just 10 days, but in a country where awareness and regulation of privacy, data protection and digital security are low, the number of cyberattacks is rising.
“We are rushing toward launching and using these plethora of financial tech apps without the exhaustive security testing and education that is needed,” said Sunil Abraham, executive director of the Center for Internet and Society. “We are operating in a bit of a regulatory vacuum.”
Modi’s ambitious move to swap old bills for new was intended to fight the hoarding of illicit cash reserves. But it was derailed by shoddy implementation, left citizens in Asia’s third-largest economy without cash for weeks, slowed manufacturing and sent workers home, and is now likely to significantly affect the country’s economic growth this year, economists say. It was acutely painful for a country where 80 percent of transactions were conducted with cash.
Modi quickly responded by turning the adversity into a call for Indians to kick their overwhelming dependence on cash and opt for digital payments overnight. The Bhim app is just one of many available. But in this leap, experts say, security concerns are being overlooked.
The new payment apps and e-wallet companies are governed by India’s outdated information technology law of 2008 and central bank guidelines.
“India urgently needs a new digital payment law that regulates all these mobile payment apps that have sprung up overnight,” said Pavan Duggal, a cyber-law expert. “We are right now in a completely uncharted and unsupervised territory legally. The norms for wallet companies are undefined. If I lose my money due to a fraud, I can go round and round in circles with no remedy.”
The central bank recently issued guidelines asking payment banks to carry out security audits, but Duggal said “there is no penalty or punishment for noncompliance.”
The problem is compounded by the fact that education about security risks online is abysmally sparse, especially in India’s small towns and villages. Indians are complacent about cyber risks in their online behavior, according to the Norton Cyber Security Insights Report. India does not have a privacy law.
India reported more than 39,000 incidents of cyberattacks in the first nine months of 2016, according to the government, including phishing, scanning and probing, website intrusions, defacements, virus and malicious code, and denial-of-service attacks.
“The Pentagon got hacked, right? You haven’t closed down the Pentagon as yet,” said Piyush Goyal, a minister. “These things will happen, and we have to be one step ahead of the hackers and the so-called security breaches and continuously improving and improvising as they do in America or other developed economies.”
In October, top banks had to fix the security codes of about 3.2 million debit cards in one of the biggest data breaches in India. Some users complained that their cards had been used in China.
Last month, hackers attacked Twitter and email accounts of prominent politicians and journalists and defaced the website of the National Security Guard, an elite commando force.
“The focus of global hackers has shifted to India. The cyber risk is a direct fallout of the growth in the number of digital users,” said Saket Modi, the chief executive of Lucideus Tech, the firm that conducted the security audit of the government’s Bhim app.
Since the cash crunch began, the largest private e-wallet company, Paytm, has experienced a 400 percent jump in new downloads.
But only 342 million people access the Internet on their mobile phones. The government has introduced dial-in service for those who have basic cellphones to make digital payments.
The government is airing radio jingles telling citizens not to share their personal identification numbers and has a toll-free helpline to teach people how to make online payments.
“Officials understand how security worries can be a big dampener in their campaign to get people to go digital,” said Vinayak Godse, senior director at the Data Security Council of India, an industry body that advises the government.
But in a trade-off between convenience and security, the central bank recently waived the mandatory two-factor authentication for transactions less than $30 online.
Some cybersecurity experts say that Indians are not ready for this step.
The police recently arrested a gang in the eastern state of Jharkhand; operators were calling people posing as bank executives and tricking them into sharing their card details. They used the cards to do online shopping and transferred money into their e-wallet accounts.
“People are gullible and can be threatened or lured to part with their bank details easily. We need as many safeguards as we can have,” said Surendra Kumar, a senior police officer in New Delhi who busted the gang.
But the biggest problem people face is that police in one state get very little cooperation from those in another state in digital-crime complaints, said Rakshit Tandon, a cybersecurity expert who trains police, military members and school students.
“Only in big-ticket frauds will police departments from different states coordinate their investigations,” Tandon said. “If a person loses a relatively smaller amount digitally, the case won’t go far. Even though that amount may mean a lot in that person’s life.”
Annie Gowen contributed to this report.