Leaking bucket

Paytm needs to fix its own security systems to solve phishing problems and start behaving like a responsible payment service provider

The history of Indian fintech has been a progression of princely incentives and unlimited convenience. In a bid to acquire as many users as they could, startups recklessly drove top-line results to become unicorns. But legend says that unicorns were susceptible to virgins, and could be tricked by a woman posing as one. In a curious case of life imitating art, Paytm has shown a weakness for another form of imitation: fraud. A weakness it cannot rectify until it accepts its existence.

Paytm has been the target of fraud for at least two years. Since 2018, the company has faced around 500 instances of fraud every month. According to a recent Morning Context report, things came to a head in April this year, when fraud losses topped Rs 1.8 crore. In a move that signals Paytm’s increasing frustration with a homegrown problem they cannot control, they have sought Rs 100 crore in damages related to reputational loss from five Indian mobile network operators.

To better understand this issue, let’s use an analogy.

Imagine an airline called ABCXY with a loyalty app. This loyalty app stores transaction history and air miles which may be redeemed for merchandise. One day, a customer thinks she receives an email from the airline — though it’s actually from a fraudulent entity called ABCYX — which promises her merchandise at a 50 percent discount if she uses her air miles.

The customer agrees and is asked to download a file. The file mimics the customer’s loyalty app and she pays the air miles requested. When she realises that she has been scammed, she complains to the airline, which absolves itself and suggests that she file a police complaint. The airline soon receives frantic calls from other customers and realises that this is a systemic problem.

However, instead of improving its fraud detection architecture, the airline does nothing beyond tepidly warning its customers not to succumb to such schemes. When the complaints snowball, it decides to sue the mobile network operators. The substance of the suit is that since mobile network operators issue SIM cards, and SIM cards may be linked to mala fide caller IDs and email addresses (like ABCYX above), mobile network operators are responsible for digital wallet fraud.

In order to weigh the merits of Paytm’s case, we will need to examine the Paytm wallet through two lenses, digital identity management and digital wallet ownership, to assess vulnerability and to assign accountability.

Digital identity management is composed of establishing the unique identity of a customer (name, biometrics, Aadhaar number, etc), and a multi-factor authentication process — which employs weak single checks like passwords and PINs, or stronger ones in combination with additional prompts like secret questions and OTPs — to verify that the customer is indeed who she says she is.

Only a few years ago, Paytm’s KYC procedures violated so many protocols that the Reserve Bank of India asked the company to halt new enrolments altogether. While this may have improved, it is in the realm of authentication that it continues to be vulnerable. Nothing is easier than making a payment from Paytm. You only need to enter a phone number to pay another Paytm wallet; or a combination of bank account number, IFSC code and payee name along with a four-digit PIN to make a payment to a bank account.

But in this convenience and speed lies the problem: The customer is never asked to provide a second level of authentication, like an OTP. In fact, because illegal transactions can only be checked at the exact moment of payment request and authorisation, it is the lack of multi-factor authentication that promotes fraud in the first place. And the only entity that can continue to make this process progressively more secure over time is the owner of the payment instrument — Paytm.

Because Paytm is a payment instrument. Unlike Google Pay, which simply provides an interface to connect a customer’s payment preferences (card, bank account, etc) to a merchant’s bank account or wallet, Paytm acts as a merchant of record. This means that you load the Paytm wallet with funds prior to initiating an onward payment to a friend or merchant. As such, Paytm’s wallet operates like a virtual prepaid instrument whose custodianship lies with Paytm, very much like how the eventual ownership of an HDFC-issued credit card lies with HDFC.

As Paytm manages the payment authorisation process, it must build robust fraud early warning systems that can detect potentially unlawful transactions. These could include something as simple as an automated message asking the customer to confirm a recently authorised payment, or a transaction block which can only be unblocked after speaking to a company representative. In this, too, only Paytm can be held accountable for the frequency and magnitude of fraudulent payment requests.

No matter how the courts rule in the case, one thing is certain. Security and customer service are far more critical to the success of Indian fintechs than incentives and convenience. Future investments should be directed to this space. This is especially true when you think of Paytm venturing into areas like micro-finance and point-of-sale lending, where the lack of fraud detection systems could spell disaster well beyond the paltry sums that are embezzled today.

If unicorns like Paytm are not to be tricked time and again — after all, Paytm’s reputational loss is nothing compared to the financial losses suffered by its customers — they will need to start operating like responsible payment service providers, whose guiding philosophy has always been to trust but verify.