Meet Lucideus, the company that made BHIM app 'secure'
Meet Lucideus, the company that made BHIM app 'secure'
Cybersecurity professionals aim to simulate all known vulnerabilities across different points of a possible br... Read More
NEW DELHI: For about two months till the launch of the Bharat Interface for Money (BHIM), more than a dozen people at a New Delhi company slogged it out, spending sleepless nights to ensure that the app was safe and that the security loopholes were plugged before it went live.
This dedicated team comprised employees of Lucideus Tech, one of the cybersecurity companies that provided security for the app developed by the National Payment Corporation of India and launched by the Prime Minister on Friday.
"We literally worked all night for the last few weeks on the app. Over a dozen people at Lucideus were working exclusively on this," said Saket Modi, chief executive of the company. Lucideus has in the past worked with organisations such as ICICI Bank, Standard Chartered, IndiGo and KFC.
BHIM, the mobile app based on the Unified Payments Interface (UPI), is initially available only on Android devices. By Monday evening, BHIM made it to the 'top free apps' chart of Google Play Store in India, beating popular apps such as WhatsApp, Facebook and Facebook Messenger.
Lucideus, said Modi, was a natural choice to work on the security side of the app, given that it also worked on the cybersecurity assessment for the UPI common library, which is given to all banks to be embedded into their net banking apps.
The new app has three levels of security. Firstly, when a user opens BHIM for the first time, it gets bound to their device ID and phone number. The user also has to provide a PIN to unlock and enter the app.
Secondly, an authentication takes place between the bank and the user's mobile number registered with the bank. The third is the UPI PIN, set by the user, which will be required for every transaction through the app and its authorisation happens via UPI servers.
"In case someone replicates your SIM or steals your phone and places the SIM in a new phone, they would still not be able to do the transactions as they wouldn't have your UPI pin," said Modi.
Apart from over a hundred technical controls that the Lucideus team looked at, it also considered multiple scenarios where a potential breach could happen. For example, if you get a call during a transaction on BHIM, and hand over the phone to another person for the call, you will have to re-enter the app PIN after you disconnect the call.
Cybersecurity professionals aim to simulate all known vulnerabilities across different points of a possible breach. "However, there is nothing that can be 100% secured — there is always an unknown element, the known unknowns. But what can be done is to ensure that all known controls are tested for and to have an incident response strategy ready in case of a breach," Modi said.
Post November 8, when Prime Minister Narendra Modi announced demonetisation of Rs 500 and Rs 1,000 currency notes, digital payments have been on the rise. The use of mobile wallets has also gone up. BHIM could, however, change that soon.
"BHIM is superior from a technology standpoint along with a convenience perspective in comparison to mobile wallets. The requirement of a third party (a wallet app in this case) is completely eliminated as users can now transact directly using their bank account without the need to upload or recharge money into an external wallet and without compromising on their bank account's security in any way," said Modi.
According to him, spending on cybersecurity has seen an "exponential rise" in the recent past owing to the large number of sophisticated hacks in the world. India also witnessed the hacking of Twitter and email accounts of prominent public figures last year, putting the need to be secure online at the forefront.
This dedicated team comprised employees of Lucideus Tech, one of the cybersecurity companies that provided security for the app developed by the National Payment Corporation of India and launched by the Prime Minister on Friday.
"We literally worked all night for the last few weeks on the app. Over a dozen people at Lucideus were working exclusively on this," said Saket Modi, chief executive of the company. Lucideus has in the past worked with organisations such as ICICI Bank, Standard Chartered, IndiGo and KFC.
PM Modi launches e-wallet app BHIM: 10 things to know
BHIM, the mobile app based on the Unified Payments Interface (UPI), is initially available only on Android devices. By Monday evening, BHIM made it to the 'top free apps' chart of Google Play Store in India, beating popular apps such as WhatsApp, Facebook and Facebook Messenger.
Lucideus, said Modi, was a natural choice to work on the security side of the app, given that it also worked on the cybersecurity assessment for the UPI common library, which is given to all banks to be embedded into their net banking apps.
The new app has three levels of security. Firstly, when a user opens BHIM for the first time, it gets bound to their device ID and phone number. The user also has to provide a PIN to unlock and enter the app.
Secondly, an authentication takes place between the bank and the user's mobile number registered with the bank. The third is the UPI PIN, set by the user, which will be required for every transaction through the app and its authorisation happens via UPI servers.
"In case someone replicates your SIM or steals your phone and places the SIM in a new phone, they would still not be able to do the transactions as they wouldn't have your UPI pin," said Modi.
Apart from over a hundred technical controls that the Lucideus team looked at, it also considered multiple scenarios where a potential breach could happen. For example, if you get a call during a transaction on BHIM, and hand over the phone to another person for the call, you will have to re-enter the app PIN after you disconnect the call.
Cybersecurity professionals aim to simulate all known vulnerabilities across different points of a possible breach. "However, there is nothing that can be 100% secured — there is always an unknown element, the known unknowns. But what can be done is to ensure that all known controls are tested for and to have an incident response strategy ready in case of a breach," Modi said.
Post November 8, when Prime Minister Narendra Modi announced demonetisation of Rs 500 and Rs 1,000 currency notes, digital payments have been on the rise. The use of mobile wallets has also gone up. BHIM could, however, change that soon.
"BHIM is superior from a technology standpoint along with a convenience perspective in comparison to mobile wallets. The requirement of a third party (a wallet app in this case) is completely eliminated as users can now transact directly using their bank account without the need to upload or recharge money into an external wallet and without compromising on their bank account's security in any way," said Modi.
According to him, spending on cybersecurity has seen an "exponential rise" in the recent past owing to the large number of sophisticated hacks in the world. India also witnessed the hacking of Twitter and email accounts of prominent public figures last year, putting the need to be secure online at the forefront.
No comments: