As the Indian Government started its transition to cashless economy and online payment systems, the question of financial sector security is being raised more and more each day. Indrajeet Bhuyan, one of nullcon Goa 2018 speakers, has helped us to understand what the current situation in this domain is and what measures can be taken to improve it.

You are the youngest speaker at nullcon. When did you develop interest in Information Security and what are the achievements you are most proud of so far?

I developed my interest in the field of Information security when I was 14 year old (6 years back). Back then, I had no idea what it was and how to move ahead, although I enjoyed doing what I was doing. Just like most of the ethical hackers / security researchers I too started my journey by ‘’hacking’’ websites, but soon I realized that hacking someone else’s website is of no use, unless I help in fixing and securing their services. Hence, from then I started contributing my work to various companies and organizations.

Back in 2014 there was a hacker who created a code of 7 MB, which could crash WhatsApp, but I achieved the same with just 2 kb and I called it WhatsApp Crash v1. I reported it and it was fixed, next year I was able to bypass the protection and create WhatsApp crash v2. Apart from that, I found several other flaws in WhatsApp later.

Popular Bollywood singer Papon’s (angaraag mahanta) official Facebook profile was hacked 2 years back and I helped him restore his account and secure his accounts / devices .

Last year the world got hit by the popular Wannacry ransomware , I created a basic tool called as Wannasmile using which people can protect themselves from Wannacry. It got thousands of downloads and many organizations added it in their advisory.

I am the youngest speaker at several international security conferences and also got covered in various national and international news portals like Daily Mail, Hindustan Times, The Register, CNN, etc.

Your talk “Looting your bank savings using Digital India” covers various flaws found in banking systems. What is the main message you want to bring to participants with it?

I would like to mainly focus on increasing the importance of security in critical sectors, such as banking. I want to make people realize how insecure is our personal details, money. In addition, the main point that I would like to bring up is the trouble security researchers face while reporting these flaws and how banks and other bodies respond to it.

What is the state of security in the financial sector at the moment?

To be honest the state of security in the financial sector is not so good at the moment, but it can be improved if things are realized. Earlier we had very less attacks in financial sectors (In India) as most of the works were done offline. Now, however, since we are moving towards digital India and cashless economy, we have started doing most of our financial works online and this have attracted the attention of many hackers as our population is not fully ready to go completely digital especially in the finance sector.

Also, even if there is some flaws found by security researchers, most of the financial institutions take it lightly and do not take any action unless they get hit by some big cyber-attack.

In your opinion what steps financial institutions should take to make their systems more secure?

The most important step is to update their systems regularly. They should have a proper schedule of checking their systems every 6 months and update them accordingly. In the recent Wannacry attack, it was seen that most banks and financial institutions still use windows XP so all of them became an easy target for attackers and were hit by the ransomware.

In all the self-help Kiosks, biometrics authentication should be implemented as the current ones are not so secure.

In addition, proper security audits of financial institution’s web services should be done from time to time.

There should be a platform where researchers can easily report flaws and quick actions should be taken.

What precautions can regular customers take to ensure secure experience with banking systems?

• Never share your passwords / pins with anyone
• Update your password after every few months
• Use the virtual keyboard while typing the password in banking sites. These days a lot of softwares, even the genuine ones, are caught running keyloggers
• Always update your system and use an antivirus.
• Use 2 step authentication wherever you can
• If possible, make separate bank accounts for saving money and for doing shopping online.

Why do you think it is important for people to attend events like nullcon?

At events like Nullcon we meet people from various parts of the world and learn on the latest developments and mishaps across the world. Today we use internet from booking movie tickets to buying property, giving away our personal data daily. At events like Nullcon we get to meet people from the domain of InfoSec and through the talks and panels hosted at the event we learn to enhance our skills and protect ourselves from the next big attack.

To know more about this interesting topic, visit Indrajeet’s talk at nulcon Goa 2018.

Interview by Yuliya Pliavaka.