Module-II BCY402: ECS

Module-II

Dept. of CSE (CY), RNSIT Page 1

 Module-II BCY402: ECS

Mobile and Digital Payment Security

MOBILE DEVICE SECURITY
Prior to the widespread use of smartphones, the dominant paradigm for computer and network
security in organizations was as follows. In Corporate User devices were typically limited to
Windows PCs. Business applications were controlled by IT and either run locally on endpoints or on
physical servers in data centers.

An organization’s networks must accommodate the following:

 Growing use of new devices: Organizations are experiencing significant growth in employee
use of mobile devices and are allowed to use a combination of endpoint devices as part of
their day-to-day activities.
 Cloud-based applications: Applications no longer run solely on physical servers in corporate
data centers. Quite the opposite, applications can run anywhere—on traditional physical
servers, on mobile virtual servers, or in the cloud. Facebook can be used for an employee’s
personal profiles or as a component of a corporate marketing campaign. Employees depend
upon Skype to speak with friends abroad or for legitimate business video conferencing.
 De-Perimeterization: There are a multitude of network perimeters around devices,
applications, users, and data. These perimeters have also become quite dynamic as they must
adapt to various environmental conditions such as user role, device type, server virtualization
mobility, network location and time-of-day.
 External business requirements: The enterprise must also provide guests, third-party
contractors, and business partners network access using various devices from a multitude of
locations.

Security Threats-Challenges
Mobile devices need additional, specialized protection measures beyond those implemented for other
client devices, such as desktop and laptop devices that are used only within the organization’s
facilities and on the organization’s networks.

Dept. of CSE (CY), RNSIT Page 2

 Module-II BCY402: ECS

The Seven major security concerns for mobile devices:

1. Lack of Physical Security controls: Mobile devices are typically under the complete control
of the user, and are used and kept in a variety of locations outside the organization’s control,
including off premises. Even if a device is required to remain on premises, the user may move
the device within the organization between secure and non-secured locations. Thus, theft and
tampering are realistic threats. The security policy for mobile devices must be based on the
assumption that any mobile device may be stolen or at least accessed by a malicious party.
The threat is twofold: A malicious party may attempt to recover sensitive data from the device
itself, or may use the device to gain access to the organization’s resources.
2. Use of untrusted mobile devices: In addition to company-issued and company controlled
mobile devices, virtually all employees will have personal smartphones and/or tablets. The
organization must assume that these devices are not trustworthy. That is, the devices may not
employ encryption and either the user or a third party may have installed a bypass to the built-
in restrictions on security, operating system use, and so on.
3. Use of Untrusted Networks: However, for off-premises use of mobile devices, the user will
typically access organizational resources via Wi-Fi or cellular access to the Internet and from
the Internet to the organization. Thus, traffic that includes an off-premises segment is
potentially susceptible to eavesdropping or man-in-the-middle types of attacks. Thus, the
security policy must be based on the assumption that the networks between the mobile device
and the organization are not trustworthy.
4. Use of Applications Created By Unknown Parties: It is easy to find and install third-party
applications on mobile devices. This poses the risk of installing malicious software. An
organization has several options for dealing with this threat, as described subsequently.
5. Interaction with Other Systems: A common feature found on smartphones and tablets is the
ability to automatically synchronize data, apps, contacts, photos, and so on with other
computing devices and with cloud-based storage. Unless an organization has control of all the
devices involved in synchronization, there is considerable risk of the organization’s data
being stored in an unsecured location, plus the risk of the introduction of malware.
6. Use of Untrusted Content: Mobile devices may access and use content that other computing
devices do not encounter. An example Quick Response (QR) code, which is a two-
dimensional barcode.
Dept. of CSE (CY), RNSIT Page 3
 Module-II BCY402: ECS

QR codes are designed to be captured by a mobile device camera and used by the mobile
device. The QR code translates to a URL, so that a malicious QR code could direct the mobile
device to malicious Web sites.
7. Use of Location Services: The GPS capability on mobile devices can be used to maintain
knowledge of the physical location of the device. While this feature might be useful to an
organization as part of a presence service, it creates security risks. An attacker can use the
location information to determine where the device and user are located, which may be of use
to the attacker.

Mobile Device Security Strategy (How to overcome threats)

The principal elements of a mobile device security strategy fall into three categories: device security,
client/server traffic security, and barrier security (Figure 18.2).

1. Device Security: A number of organizations will supply mobile devices for employee use
and preconfigured those devices to conform to the enterprise security policy. However, many
organizations will find it convenient or even necessary to adopt a bring-your-own-device
(BYOD) policy that allows the personal mobile devices of employees to have access to
corporate resources. IT managers should be able to inspect each device before allowing
network access. IT will want to establish configuration guidelines for operating systems and
applications. For example, “rooted” or “jail-broken” devices are not permitted on the network,
and mobile devices cannot store corporate contacts on local storage. Whether a device is
owned by the organization or BYOD, the organization should configure the device with
security controls, including the following:
 Enable auto-lock, which causes the device to lock if it has not been used for a given
amount of time, requiring the user to re-enter a four-digit PIN or a pass word to re-
activate the device.
 Enable password or PIN protection. The PIN or password is needed to unlock the device.
In addition, it can be configured so that email and other data on the device are encrypted
using the PIN or password and can only be retrieved with the PIN or password.
 Avoid using auto-complete features that remember user names or passwords.
 Enable remote wipe.
 Ensure that SSL protection is enabled, if available.

Dept. of CSE (CY), RNSIT Page 4

 Module-II BCY402: ECS

 Make sure that software, including operating systems and applications, is up to date.
 Install antivirus software as it becomes available.
 Either sensitive data should be prohibited from storage on the mobile device or it should
be encrypted.
 IT staff should also have the ability to remotely access devices, wipe the device of all
data, and then disable the device in the event of loss or theft.
 The organization may prohibit all installation of third-party applications, implement
whitelisting to prohibit installation of all unapproved applications, or implement a secure
sandbox that isolates the organization’s data and applications from all other data and
applications on the mobile device. Any application that is on an approved list should be
accompanied by a digital sig nature and a public-key certificate from an approved
authority.
 The organization can implement and enforce restrictions on what devices can
synchronize and on the use of cloud-based storage.
 To deal with the threat of untrusted content, security responses can include training of
personnel on the risks inherent in untrusted content and disabling camera use on
corporate mobile devices.
 To counter the threat of malicious use of location services, the security policy can dictate
that such service is disabled on all mobile devices.

Dept. of CSE (CY), RNSIT Page 5

 Module-II BCY402: ECS

2. Traffic Security: Traffic security is based on the usual mechanisms for encryption and
authentication. All traffic should be encrypted and travel by secure means, such as SSL or
IPv6. Virtual private networks (VPNs) can be configured so that all traffic between the
mobile device and the organization’s network is via a VPN. A strong authentication protocol
should be used to limit the access from the device to the resources of the organization. Often,
a mobile device has a single device-specific authenticator; because it is assumed that the
device has only one user. A preferable strategy is to have a two-layer authentication
mechanism, which involves authenticating the device and then authenticating the user of the
device.
3. Barrier Security The organization should have security mechanisms to protect the network
from unauthorized access. The security strategy can also include firewall policies specific to
mobile device traffic. Firewall policies can limit the scope of data and application access for
all mobile devices. Similarly, intrusion detection and intrusion prevention systems can be
configured to have tighter rules for mobile device traffic.

Types of Wireless and Mobile Device Attacks

Wireless and mobile devices have become ubiquitous in today’s society, and with this increased
usage comes the potential for security threats. Wireless and mobile device attacks are a growing
concern for individuals, businesses, and governments.

Below are some of the most common types of Wireless and Mobile Device Attacks:

SMiShing: Smishing become common now as smartphones are widely used. SMiShing uses Short
Message Service (SMS) to send fraud text messages or links. The criminals cheat the user by
calling. Victims may provide sensitive information such as credit card information, account
information, etc. Accessing a website might result in the user unknowingly downloading malware
that infects the device.

War driving : War driving is a way used by attackers to find access points wherever they can be.
With the availability of free Wi-Fi connection, they can drive around and obtain a very huge
amount of information over a very short period of time.

WEP attack: Wired Equivalent Privacy (WEP) is a security protocol that attempted to provide a
wireless local area network with the same level of security as a wired LAN. Since physical

Dept. of CSE (CY), RNSIT Page 6

 Module-II BCY402: ECS

security steps help to protect a wired LAN, WEP attempts to provide similar protection for data
transmitted over WLAN with encryption. WEP uses a key for encryption. There is no provision
for key management with Wired Equivalent Privacy, so the number of people sharing the key will
continually grow. Since everyone is using the same key, the criminal has access to a large amount
of traffic for analytic attacks.

WPA attack: Wi-Fi Protected Access (WPA) and then WPA2 came out as improved protocols to
replace WEP. WPA2 does not have the same encryption problems because an attacker cannot
recover the key by noticing traffic. WPA2 is susceptible to attack because cyber criminals can
analyze the packets going between the access point and an authorized user.

Bluejacking: Bluejacking is used for sending unauthorized messages to another Bluetooth device.
Bluetooth is a high-speed but very short-range wireless technology for exchanging data between
desktop and mobile computers and other devices.

Replay attacks: In a Replay attack an attacker spies on information being sent between a sender
and a receiver. Once the attacker has spied on the information, he or she can intercept it and
retransmit it again thus leading to some delay in data transmission. It is also known as playback
attack.
Bluesnarfing : It occurs when the attacker copies the victim’s information from his device. An
attacker can access information such as the user’s calendar, contact list, e-mail and text messages
without leaving any evidence of the attack.

RF Jamming: Wireless signals are susceptible to electromagnetic interference and radio -

frequency interference. Radio frequency (RF) jamming distorts the transmission of a satellite
station so that the signal does not reach the receiving station.

There are several types of attacks that target these devices, each with its own
advantages and disadvantages:

Wi-Fi Spoofing: Wi-Fi spoofing involves setting up a fake wireless access point to trick users
into connecting to it instead of the legitimate network. This attack can be used to steal sensitive
information such as usernames, passwords, and credit card numbers. One advantage of this attack
is that it is relatively easy to carry out, and the attacker does not need sophisticated tools or skills.
However, it can be easily detected if users are aware of the legitimate network’s name and other
details.

Dept. of CSE (CY), RNSIT Page 7

 Module-II BCY402: ECS

Packet Sniffing: Packet sniffing involves intercepting and analyzing the data packets that are
transmitted over a wireless network. This attack can be used to capture sensitive information such
as email messages, instant messages, and web traffic. One advantage of this attack is that it can be
carried out without the user’s knowledge. However, the attacker needs to be in close proximity to
the victim and must have the technical skills and tools to intercept and analyze the data.

Bluejacking: Bluejacking involves sending unsolicited messages to Bluetooth-enabled devices.

This attack can be used to send spam, phishing messages, or malware to the victim’s device. One
advantage of this attack is that it does not require a network connection, and the attacker can be
located anywhere within range of the victim’s Bluetooth signal. However, it requires the attacker
to have the victim’s Bluetooth device’s address and is limited to devices that have Bluetooth
capabilities.

SMS Spoofing: SMS spoofing involves sending text messages that appear to come from a trusted
source, such as a bank or a government agency. This attack can be used to trick users into
revealing sensitive information or downloading malware. One advantage of this attack is that it
can be carried out without the user’s knowledge. However, it requires the attacker to have the
victim’s phone number, and it can be easily detected if users are aware of the legitimate source
of the message.

Malware: Malware is software designed to infect a device and steal or damage data. Malware can
be distributed through email attachments, software downloads, or malicious websites. One
advantage of this attack is that it can be carried out remotely, without the attacker needing to be
physically close to the victim. However, it requires the attacker to have a way to deliver the
malware to the victim’s device, such as through a phishing email or a fake website.

Attacks against 3G mobile networks

There are a variety of attacks that may be launched against mobile networks, and they are two
types i.e.

1. Out of the mobile network: public net, private networks, other networks and,
2. Inside mobile network: Smartphones, laptops, and pcs linked to the 3G network.

Attacks against 3G mobile networks are:

1. Malwares, viruses and worms –
Since many users still are shifting from 2G, 2.5G, and 3G to 3G, there is an increasing need to
raise awareness about the risks that exist when using mobiles. Here are a few instances of malware
that target mobile phones:
 Skull Trojan –
It is designed to infect Series 60 phones running the Symbian mobile operating system.
Dept. of CSE (CY), RNSIT Page 8
 Module-II BCY402: ECS

 Cabir worm –
It is the initially known worm in phones; It attacks mobiles which then scans remaining
devices for its replica to start mobile which detects using Bluetooth.
 Mosquito Trojan –
Mosquito Trojan is a corrupted variant of the Mosquitoes mobile game targeting series 60
phones.
 Brador Trojan –
Infects the Windows Mobile operating system by making the svchost.exe file in the startup
file of windows, which gives you full access to phones. Standard worm transmission vectors,
including email attachments, are compatible with this executable.
 Lasco Worm –
It was initially published in 2005 and was designed to attack Symbian-based PDAs and cell
phones. Lasco is built on Cabir’s code and uses Bluetooth technology to duplicate.

3. DDoS (Distributed Denial-of-Service):

The overall purpose of this assault is to ensure that the system inaccessible to the targeted
users. A distributed denial-of-service (DDoS) attack is currently one of the main
prevalent cyber-security risks to wired ISPs. It assaults are a type of DoS attack. A DDoS
assault entails the deployment of a bot, and that is a collection of associated gadgets that
are utilized to flood a targeted system using bogus traffic.

3. Overbilling attack:
An attacker hijacks a user’s IP address and then uses it to begin non-free transfers or just for own
reasons. In any scenario, the transaction is charged to the real user. Whenever a lawful user’s IP
address is restored to an IP pool, a hacker can intercept this and take ownership. After that, the
hacker takes advantage of a user’s Cellular/mobile network services.

4. Spoofed policy development process (PDP):

This will attack when there are flaws in GTP. Spoofing occurs when hacker pretends to be a
legitimate system or client in case of theft of information, installing malicious software, or get
around security measures.

Dept. of CSE (CY), RNSIT Page 9

 Module-II BCY402: ECS

5. Signaling-level attacks:
VoIP services in IMS networks are provided using signaling by Session Initiation Protocol (SIP) .
SIP-based VoIP systems have a number of security flaws.

Security for Mobile Application

What is Mobile Application Security?
We call mobile application security the systems and techniques used to prevent mobile
applications from being exposed to dangers, risks, and unauthorized exchanges. It is a
combination of different approaches and methods that are designed to keep mobile apps secure
and provide resistance to any potential attacks.

Three common types of attack

 Browser-based attacks: outdated browsers or unsecured browsing
 SMS-based attacks: Download malware by clicking links.
 Application logic-based attacks: exploit loopholes to bypass authentication mechanisms
to unauthorized access to data.

Here are some primary factors of mobile application security:

 Authentication and Authorization: This refers to the authentication of users and

permitting them to access only the app settings and requisite data they are entitled. These
include approaches like MFA or RBAC which are widely implemented.

 Data Encryption: Securing sensitive information by encrypting at rest (stored on the

device) and in transit (transmitted over the networks) is a key step to reduce risks such as
unauthorized access and leakage of data. A powerful encryption algorithm like Advanced
Encryption Standard (AES) is advisable.

 Secure Communication Protocols: Mobile apps should be built using communication

protocols such as HTTPS protocol for data transmission between the app and servers. It
contributes to preventing middle man-in-the-middle attack (MITM) where the attackers
intrude between two communication parties and alter it.

 Secure Code Practices: The code base of the app must be developed in adherence to
secure coding practices so that the developers can reduce the number of vulnerabilities in
the code of the app. Such things are data input verification to prevent injection attacks, no
hardcoded credentials, and regular auditing with functional testing for security flaws.

Dept. of CSE (CY), RNSIT Page 10

 Module-II BCY402: ECS

 Secure Storage: Holding private data including passwords, tokens, and private keys in
safety subject to the device is necessary. Technologies such as utilizing the device’s safe
storage APIs and encryption for delicate data give security the needed improvement.

 App Permissions: The mobile platforms grant an app access to specific data and device
features through permission-based systems for the whole user control. Apps should only
request permissions when it is necessary and at the same time, the apps should present
clear explanations to users on why some permission is requisite.

What is Mobile Device Management (MDM)?

Mobile Device Management (MDM) is the proven method and toolbox while keeping the security
of business data that allows employees access to mobile efficiency tools and apps.
IT departments have a distinct range of obstacles when it comes to integrating and distributing
internal materials and assets because of the variety of mobile devices. Typically, mobile device
management uses a collection of company standards and licenses, on-device settings, apps, server
software, and hardware to control end-user devices.

How Does Mobile Device Management Work?

 In a data center, mobile device management needs two components. A server component
that allows IT managers to use a management interface to set and distribute policies and a
client component that uses end-user mobile devices to receive and carry out orders.
 Mobile device management has changed over time. Although at first scalability was a
concern, the implementation of central remote administration has removed outdated
processes such as SIM cards and client-initiated upgrades.
 To accelerate policy adoption, contemporary MDM software may instantly identify newly
connected devices to the corporate network and apply over-the-air instructions and
settings.
 Using application programming interfaces (APIs) integrated right into the operating
system of the device; the agent interacts with the devices to apply the rules.

Dept. of CSE (CY), RNSIT Page 11

 Module-II BCY402: ECS

Components of Mobile Device Management (MDM)

 Application security: App wrapping is a technique for application security where an IT
administrator adds management or security capabilities to an application.
 Device Security: An MDM system aids in enforcing the security guidelines inside the
company. To protect the material, the majority of MDM systems also provide device
encryption capabilities.
 Mobile management: For its employees, IT departments purchase, distribute, maintain,
and provide support for mobile devices, including device functionality problems.
 Device tracking: An organization may set up GPS tracking and other programs on every
device it issues or enrolls.
 Endpoint security: Endpoint security, includes any devices that connect to a business
network, such as wearable’s, non-traditional mobile devices, and IoT sensors.
 Asset management: This allows for the monitoring of information about compliance
status and corporate resources utilized by the device. Along with many other things, MDM
may monitor the department and device owner.

Dept. of CSE (CY), RNSIT Page 12

 Module-II BCY402: ECS

DIGITAL PAYMENT SECURITY

What Is Digital Payment System?
The use of digital methods for payments or transactions is the digital payment system. They use
online methods. There is no physical money exchange.

 The digital payment system is spreading rapidly in India. One can witness that most people
avoid cash. This avoidance is usually due to the risks involved with the hard money.
Someone may steal it. It may also face damage.
 The digital payment system requires that both parties have electronic mediums. The payee
can only make the online payment if the receiver has a digital mode.
 The digital payment system also involves payments on the physical premises. For
example, one may pay with a card in the grocery store. This will still be a digital
payment.
 The other common one is online shopping. People order goods and can pay for the same
digitally. The digital payment system thus allows both these transactions.
 Digital payment system usually requires bank linking. The person must have their
account and link the same with the medium.
 Also, one must follow prudence in the digital payment system. They should follow the
privacy rules and not share any details.
o The digital payment system is an essential component of economic growth. More people
connect to the internet. The government can also get accurate income details. The economy
also reduces the dependency on hard money

Dept. of CSE (CY), RNSIT Page 13

 Module-II BCY402: ECS

Types of Digital Payment Systems

There are several digital payment system models. One can choose the convenient option. It helps
provide digital payment facilities to everyone. They can make these payments even if they don't
have the traditional devices. Read about the different digital payment systems below.

1. Banking Cards

2. Unified Payments Interface

3. Mobile Wallets

4. Unstructured Supplementary Service Data (USSD)

5. Aadhaar-Enabled Payment System

https://testbook.com/ugc-net-commerce/digital-payment-system

Digital payment security is a crucial aspect of the financial ecosystem, especially with the
increasing adoption of various digital payment methods. Here is a detailed discussion on the
security aspects of different digital payment methods:

1. Banking Cards (Credit/Debit Cards)

Banking cards are a common digital payment system type. These can be debit or credit banks.
The different banks issue these cards to their account holders. Customers can complete payments
with this method. They might have to use a pin for the same. Most businesses now offer these
payments. One can carry these cards anywhere. Also, it is easy to cancel these cards if lost or
stolen. They provide better security with passwords. Also, customers can pay later with credit
cards. They have to pay the bills instead of shelling out cash at the time.

Security Features:

 EMV Chip Technology: Modern cards come with an EMV chip that generates a
unique transaction code for each purchase, making it difficult for fraudsters to
duplicate.
 Tokenization: Sensitive card details are replaced with a unique token during
transactions, protecting actual card data.
 Two-Factor Authentication (2FA): Many transactions require a second form of
verification, such as a one-time password (OTP) sent to the cardholder's phone.

Dept. of CSE (CY), RNSIT Page 14

 Module-II BCY402: ECS

 Secure PIN: A personal identification number (PIN) is required for card-present

transactions.

Challenges:
 Skimming: Fraudsters use devices to capture card information during transactions.
 Phishing: Attempts to obtain card details through fraudulent communication.

References:
 EMVCo - EMV Specifications

2 Unified Payments Interface (UPI)

The UPI system is another method for easy digital payments. One can link several bank accounts
to one UPI application. It helps send money from any of those accounts. The person doesn't have to
fill in their bank details. UPI IDs are also useful. One can simply enter the receiver's ID to send
money. They can also use the phone number of the receiver's account.
UPI is much more accessible and a simple digital payment system.
Security Features:

 Two-Factor Authentication: UPI transactions require two layers of authentication,

typically the UPI PIN and a registered mobile number.
 End-to-End Encryption: Data is encrypted from the sender to the receiver,
preventing interception.
 Real-Time Monitoring: Transactions are monitored in real-time for any suspicious
activity.

Challenges:
 Phishing and Vishing: Fraudsters may trick users into sharing their UPI credentials.
 App Security: The security of the mobile device and the UPI application is critical.

Dept. of CSE (CY), RNSIT Page 15

 Module-II BCY402: ECS

References:

 NPCI – UPI

3. Digital Wallets
These mobile wallets provide another digital payment system. They are digital wallets with
balance. One can use these wallets to make payments. These wallets are often linked to the
individual's bank account. One may transfer some money for the same. Several banks and private
companies offer their wallets. They provide offers like cashback and discounts to promote their
use.

Security Features:
 Tokenization: Similar to banking cards, wallet transactions use tokenization to
protect user data.
 Biometric Authentication: Many wallets support fingerprint or facial recognition for
added security.
 Secure Storage: Wallets store payment information in secure, encrypted
environments.

Challenges:
 Mobile Device Security: If a user's mobile device is compromised, so is their wallet.
 Phishing: Users can be lured into providing their wallet credentials.

References:
 Apple Pay Security and Privacy Overview
 Google Pay Security

Dept. of CSE (CY), RNSIT Page 16

 Module-II BCY402: ECS

4. USSD (Unstructured Supplementary Service Data)

The USSD digital payment system is present for the sections that don't have regular internet
access. There are some remote areas where people don't have this facility. They can use a simple
essential features phone. The person has to dial *99#. It helps access banking services without the
internet. The individual may enquire about their bank balance. They can also use it for interbank
transfers in bank accounts. All telecom providers have this service. It helps provide a digital
payment system for everyone.

Security Features:
 Session-Based Communication: USSD operates on a session-based model, reducing the
risk of data being stored or intercepted.
 PIN Authentication: Transactions often require a secure PIN for authorization.

Challenges:
 Lack of Encryption: USSD data is not always encrypted, making it susceptible to
interception.
 Phishing: Users might be tricked into disclosing their USSD PIN.

References:
 GSMA - Mobile Financial Services

5. Aadhaar Enabled Payment System (AEPS)

The AEPS system uses the Aadhaar technology. This digital payment system uses Aadhar-
linked bank accounts. It also helps increase the reach of the Aadhaar system. An individual can
transfer funds from their Aadhaar-linked account to another. This system completes payments
without cards, cash, or digital signatures. One can complete their point-of-sale transactions with
Aadhaar authentication. Also, it allows cash withdrawals with a ₹15 charge. This system is
essential for many people. They can complete the digital payments with their identity.

Security Features:
 Biometric Authentication: AEPS transactions use the Aadhaar number and
biometric data (fingerprint or iris scan) for authentication.
 Secure Network: Transactions are processed through secure channels managed by the
National Payments Corporation of India (NPCI).

Challenges:
 Biometric Spoofing: Although difficult, biometric data can be spoofed.
 Data Privacy: The centralization of biometric data raises privacy concerns.

Dept. of CSE (CY), RNSIT Page 17

 Module-II BCY402: ECS

References:
 UIDAI – AEPS

General Best Practices for Digital Payment Security

1. Regular Updates and Patches: Ensure all payment systems and applications are up to
date with the latest security patches.
2. User Education: Educate users about the importance of safeguarding their payment
information and recognizing phishing attempts.
3. Multi-Layered Security: Implement multiple layers of security, such as encryption,
tokenization, and multi-factor authentication.
4. Monitoring and Analytics: Continuously monitor transactions for unusual patterns and
potential fraud.
5. Strong Password Policies: Encourage the use of strong, unique passwords and
regular password changes.

Conclusion
The security of digital payment systems is paramount to protecting users and maintaining trust in
digital transactions. Each payment method has its unique security features and challenges, but
with robust practices and user awareness, risks can be significantly mitigated. For more detailed
and specific information, users should refer to official resources and guidelines provided by
financial institutions and regulatory bodies.

Dept. of CSE (CY), RNSIT Page 18

 Module-II BCY402: ECS

Types of digital payment fraud

Digital payment systems, while convenient and efficient, are also susceptible to various forms of
fraud. Understanding these common frauds and implementing preventive measures are crucial for
maintaining security and trust. Here’s a detailed overview:

Common Types of Digital Payment Frauds

1. Phishing and Vishing

o Phishing: Fraudsters send fake emails or messages posing as legitimate
entities to trick users into revealing sensitive information like passwords,
credit card numbers, or personal details.
o Vishing: Voice phishing where attackers call victims pretending to be from a
reputable organization to extract sensitive information.
2. Card Skimming
o Fraudsters use skimming devices to capture card details during legitimate
transactions. These devices can be attached to ATMs or point-of-sale (POS)
terminals.
3. Card Not Present (CNP) Fraud
o Occurs during online transactions where the card is not physically present.
Fraudsters use stolen card information to make unauthorized purchases.
4. SIM Swapping
o Attackers trick mobile carriers into transferring the victim’s phone number to a
SIM card controlled by the attacker, enabling them to intercept OTPs and gain
access to bank accounts and digital wallets.
5. Man-in-the-Middle (MitM) Attacks
o Fraudsters intercept and alter communication between two parties to steal data or
inject malicious code. This can happen over unsecured Wi-Fi networks.
6. Fake Apps and Websites
o Fraudsters create counterfeit apps or websites resembling legitimate services to
steal login credentials and payment information.
7. Malware and Ransomware
o Malicious software installed on a user’s device can capture sensitive information,
encrypt data for ransom, or create backdoors for ongoing access.
8. Social Engineering
o Manipulating individuals into divulging confidential information through
psychological manipulation, often by posing as someone trustworthy.

Dept. of CSE (CY), RNSIT Page 19

 Module-II BCY402: ECS

Preventive Measures

1. Multi-Factor Authentication (MFA)

o Implementing MFA adds an extra layer of security, requiring users to provide two
or more verification factors, reducing the risk of unauthorized access.
2. Encryption
o Using strong encryption protocols (e.g., TLS) for all transactions to protect data
in transit from being intercepted and read by attackers.
3. Regular Software Updates and Patches
o Keeping all systems and applications up to date to protect against known
vulnerabilities.
4. User Education and Awareness
o Regularly educating users about the latest phishing techniques, safe browsing
practices, and the importance of verifying the authenticity of emails, messages,
and websites.
5. Secure Payment Gateways
o Using reputable and secure payment gateways that comply with PCI-DSS
(Payment Card Industry Data Security Standard) to ensure secure processing of
payment information.
6. Transaction Monitoring and Analytics
o Implementing real-time monitoring systems to detect unusual transaction patterns
and potential fraud attempts. Machine learning algorithms can be used to identify
anomalies.
7. Tokenization
o Replacing sensitive payment information with a unique identifier (token) that
cannot be used outside the specific context of a transaction, thus minimizing the
risk of data breaches.
8. Strong Password Policies
o Encouraging the use of strong, unique passwords and regularly changing them to
reduce the risk of unauthorized access.
9. Secure Development Practices
o Following secure coding practices and conducting regular security audits to
identify and fix vulnerabilities in payment applications.
10. Customer Verification
o Implementing strict verification processes, such as KYC (Know Your Customer),
to ensure that the person conducting the transaction is legitimate.

Implementing these preventive measures can significantly reduce the risk of digital
payment fraud and ensure a secure transaction environment for both users and service
providers.
Dept. of CSE (CY), RNSIT Page 20