The story of the security team behind the BHIM app
- The Bharat Interface for Money (BHIM) app was launched on 30th December, 2016 by the National Payments Corporation of India (NPCI).
- For two months, till the launch of the BHIM app, a dedicated team of cybersecurity professionals from Delhi-based cybersecurity company Lucideus Tech "literally worked all night" to plug security holes in the app and ensure that it was safe.
BHIM's superiority over mobile wallets
"BHIM is superior from a technology standpoint along with a convenience perspective in comparison to mobile wallets. The requirement of a third party (a wallet app) is completely eliminated as users can now transact directly using their bank account," said Lucideus CEO Saket Modi.
Lucideus Tech's history with cybersecurity
- Lucideus Tech is no stranger to working with the government of India, having already played a crucial role in the security of the Unified Payments Interface (UPI), on which the BHIM app is based, earlier.
- Furthermore, in the past, the company has worked with the likes of big organizations such as ICICI Bank, IndiGo, KFC and Standard Chartered Bank.
Preparing for the worst
- According to Saket Modi, the CEO of Lucideus Tech, the cybersecurity team behind the BHIM app consisted of around twelve people.
- Apart from going over a hundred technical controls, the Lucideus team also simulated and prepared contingency plans for several possible scenarios where a security breach could happen like interruptions during transactions, SIM duplication, phone theft and so on.
Having a contingency plan is the only assurance against threats
"However, there is nothing that can be 100% secured — there is always an unknown element, the known unknowns. But what can be done is to ensure that all known controls are tested for and to have an incident response strategy," said Saket Modi.
Security measures for the BHIM app
- The BHIM app comes with three levels of security.
- Firstly, when the app is first opened, it binds itself to a user's phone number and device ID.
- Secondly, an authentication takes place between a user's bank and his/her registered mobile number via one-time-passwords.
- Thirdly, the user is prompted to set a UPI PIN which is required for every transaction through the BHIM app.