As WhatsApp Pay Goes Live, How Safe Is It? 

WhatsApp Inc., the Facebook-owned messaging platform which went live across India on Friday, will find itself up against security concerns as it tries to grab a share of the country’s competitive payment market.

While all online payment platforms have been battling an elevated risk of frauds, in the case of WhatsApp, the risk perception is higher due to its ubiquitous messaging platform, said technology and cyberlaw experts that BloombergQuint spoke to.

WhatApp Pay, on its part, addressed these concerns upfront in its blog which announced the launch of its services.

“Just like every feature in WhatsApp, payments is designed with a strong set of security and privacy principles, including entering a personal UPI PIN for each payment,” the company said.

WhatsApp Pay Vs Other Digital Payment Options

WhatsApp has been permitted to onboard only 20 million users in the first phase. This is fraction of the 400 million users that the WhatsApp messaging platform has in India.

One concern emerges from the fraud risk linked to WhatsApp’s large user base, which could increase the chances of ‘social engineering attacks'. These are attacks that take advantage of human instincts by tricking victims into revealing confidential information, such as credit card details, passwords, etc.

“The privacy concern is a larger problem with WhatsApp than the other payment applications primarily because of its large user base in India, which makes it that much harder for the company to curb social engineering attacks,” said Nikhil Kumar, co-founder and chief evangelist at Setu. Kumar previously worked on building out the UPI framework at iSpirt.

As a payment application, WhatsApp needs to address this issue “seriously” by either putting caps on peer-to-peer transfers, allowing users to report frauds, blocking suspicious users or capping the value of transactions that can be made on the app, said Kumar.

In its blog, WhatsApp Pay said it is currently working with five Indian banks, including State Bank of India, HDFC Bank Ltd., ICICI Bank Ltd., Axis Bank Ltd. and Jio Payments Bank to process payment services. Users can transfer funds across 160 banks in India using WhatsApp, the company said in a statement on Friday.

Beyond the risk that emerges from its large user base, the security offered by WhatsApp Pay should be similar to other third party payment applications.

“WhatsApp pay should have overall security levels broadly similar to other major UPI application providers given its focus on message encryption, data localization, etc,” said Fali Hodiwalla, partner - financial services, consulting at advisory firm EY.

Besides, partner banks follow strict security policies to protect customer data. “So whenever an application such as Google Pay or WhatsApp Pay links its infrastructure with the banks, it is by design secure because the bank’s security guidelines kick in,” said Kumar.

Fraud Liability And Data Security

Another concern that WhatsApp may want to address upfront is that of fraud liability and data security.

As a payments application WhatsApp Pay will not be an intermediary, as defined under the Information Technology Act, 2000 and cannot claim immunity from liability for third party acts, said NS Nappinai, Supreme Court advocate and founder of Cyber Saathi, a not-for-profit initiative focusing on cyber safety in digital spaces.

So far, internet companies such as WhatsApp and Facebook have taken shelter under India’s ‘safe harbour’ laws, which provide conditional immunity to intermediaries from third party acts. “...they cannot use the same argument to defend social engineering attacks or third-party data breaches of sensitive financial information of their users, whilst rendering services, as a payment system,” said Nappinai, adding that Reserve Bank of India rules on fraud liability would apply to them.

Checks And Balances

Instances of frauds via the UPI platform have been on the rise over the last two years and the Reserve Bank of India has cautioned against such frauds from time to time. According to a 2017 set of rules detailing the liability on account of frauds, the RBI had said that a customer shall bear zero liability in cases where there is a third party breach and a customer notifies a bank within three days.

However, a customer may have to bear a part of the liability where the fraud occurs due to his/her negligence, the RBI rules state.

Since WhatsApp has a larger user base, it can draw non-UPI or wallet users to try the service, said Akshay Garkel, partner and leader - cyber, at Grant Thornton Bharat LLP.

“This situation will also make it a larger playground for scamsters/fraudsters to scam elderly or less aware citizens (individual or business) into giving away their personal information including financial detail, UPI ID or even scan codes which could result into higher financial losses through debits from their bank accounts,” Garkel said.

Creating user awareness and informing them adequately about sharing of information and right usage of digital payment services is of utmost importance, he added.

WhatsApp can do a know-your-customer due diligence for all retailers on its business platform, Garkel suggested. Added layers of authentication, a banner on its app to inform users and allowing only registered devices to use the payment service could be some more steps to improve the security of WhatsApp payments, he said