New Delhi: The National Payments Corporation of India (NPCI) that operates the RuPay card network and other payment infrastructure, had over 40 cybersecurity vulnerabilities, including storing sensitive user information in plain text, making it easy for hackers to access.
The findings, some of which were described as “critical” and “high” risk vulnerabilities, were reported in a four-month government audit that ended in February 2019, according to a Reuters report.
The news report, published on 30 July, was based on an “internal government document” accessed by Reuters.
NPCI, which Reuters referred to as ‘India’s flagship payments processor’, is a not-for-profit entity created by the Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) to improve infrastructure for payments and settlements, especially with the use of technology. The RuPay card network, which NCPI operates and is endorsed by Prime Minister Narendra Modi, reportedly claims to have over 500 million users and competes with the likes of Mastercard and Visa.
Problems within NPCI
A key vulnerability the Reuters report pointed out is that NPCI had not encrypted the personal data of users. The government audit, issued in March 2019, indicated that the 16-digit numbers on credit/debit cards, personal information such as name, account number, and national identity number were in “some” databases stored in “plain text”. Plain text is a computer format that isn’t in code, and as such, can be read by any person with access to it.
So if a hacker had accessed the NPCI databases of user information, it would have been very easy to collect and exploit data.
We are deeply grateful to our readers & viewers for their time, trust and subscriptions.
Quality journalism is expensive and needs readers to pay for it. Your support will define our work and ThePrint’s future.
According to Reuters, NPCI processes “billions of dollars daily” through services like inter-bank fund transfers, ATM transactions and online payments.
The body had told the news agency in a statement that NPCI is “regularly” audited for security reasons, and that senior management looks at “all findings”. These findings are then “remediated to (the) satisfaction of the auditors”, it said, according to the news report.
National Cyber Security Coordinator Rajesh Pant told Reuters that “all observations raised in last year’s report have been confirmed as resolved by the NPCI”. The audit was coordinated by Pant’s office.
While the government audit had recommended that sensitive and personal data be “properly encrypted/masked in the database and logs”, the audit had noted other vulnerabilities.
These included a ‘buffer overflow’ — an issue that could let hackers exploit flaws in coding — along with NPCI’s operating system not being up to date and a mail server having insufficient anti-malware functionality.
Subscribe to our channels on YouTube & Telegram
News media is in a crisis & only you can fix it
You are reading this because you value good, intelligent and objective journalism. We thank you for your time and your trust.
You also know that the news media is facing an unprecedented crisis. It is likely that you are also hearing of the brutal layoffs and pay-cuts hitting the industry. There are many reasons why the media’s economics is broken. But a big one is that good people are not yet paying enough for good journalism.
We have a newsroom filled with talented young reporters. We also have the country’s most robust editing and fact-checking team, finest news photographers and video professionals. We are building India’s most ambitious and energetic news platform. And we aren’t even three yet.
At ThePrint, we invest in quality journalists. We pay them fairly and on time even in this difficult period. As you may have noticed, we do not flinch from spending whatever it takes to make sure our reporters reach where the story is. Our stellar coronavirus coverage is a good example. You can check some of it here.
This comes with a sizable cost. For us to continue bringing quality journalism, we need readers like you to pay for it. Because the advertising market is broken too.
If you think we deserve your support, do join us in this endeavour to strengthen fair, free, courageous, and questioning journalism, please click on the link below. Your support will define our journalism, and ThePrint’s future. It will take just a few seconds of your time.