Paytm Employing Technologies and Tools to Fight Cyber Fraud

The case discusses the technologies and tools employed by Paytm, one of India's leading e-commerce and digital wallet companies. The case starts out by going into the reasons for the vulnerability of a digital payments company like Paytm to fraud. Though there are cyber laws in India to check fraud in digital payment systems, companies such as Paytm continued to be easy targets of fraudsters. The case then provides an overview of the kind of frauds encountered by the customers of Paytm, the loss borne by them and the various measures taken by Paytm to counter the frauds. Later, the case describes in detail the different tools and technologies like Data Encryption, Data Intrusion Detection Systems, and Artificial Intelligence that were adopted by Paytm to combat fraud. Vijay Shekhar Sharma (Sharma), Founder and CEO of Paytm, was confident that the security measures deployed by Paytm would be effective in combating cyber fraud. The question is, can Paytm maintain the same level of security in future considering the ever-shifting fraud landscape?

We are committed to ensuring that we block as many fraudsters and will continue to enhance our app security so that there's no stone left unturned towards safe digital payments experience.1

- Satish Kumar Gupta, Managing Director and CEO of Paytm Payments Bank in January 2020

In January 2020, Paytm Payments Bank (PPB), owned by one of the leading Indian e-commerce payment system and digital wallet2 companies, Paytm, submitted to the authorities 3,500 phone numbers, which the company suspected of being responsible for online frauds (SMS3 and call scams). The numbers were submitted to the Telecom Regulatory Authority of India (TRAI),4 the Ministry of Home Affairs (MHA),5 and the Indian Computer Emergency Response Team (CERT-in).6 PPB also filed a First Information Report (FIR)7 with the Indian police's cyber wing in Noida against the holders of the 3,500 phone numbers to stop the scams. This move was part of PPB's efforts to fight the growing threat of online fraud by cyber criminals, which resulted in its customers losing money.

Paytm also gave a list of SMS short codes to the concerned authorities. SMS short codes in the company's name were found to have been deceptively used to fool consumers and gather private information from them. In its interactions with the authorities, Paytm emphasized the need for timely and effective legal action with the involvement and support of telecom operators to end the fraud. Satish Kumar Gupta (Gupta), Managing Director and CEO of PPB, said, "Telecom operators should be directed to have stringent control on the issuance of short codes for bulk messages to companies. There is also a need to blacklist companies permitting such SMSs to be sent."8

From the early 2010s, online payments had made Indian customers' life much easier and Paytm was the leading digital wallet service in India, providing a multitude of payment services to consumers and businesses. Paytm enabled Person-to-Person (P2P)9 transactions and allowed people to securely pay each other anytime, anywhere with ease.

However, the Indian digital payments space was seeing an increase in fraudsters who were engaging in novel methods to deceive people and steal their money. Though most of the time, Paytm was able to ensure that its customers were not cheated, the company felt compelled by the rising incidence of fraud to take measures to secure its transactions. It not only implemented several technologies and tools to detect fraud, but also worked with regulatory authorities and adhered to legal requirements in order to check the incidence of fraud. The volume of digital transactions in India was expected to rise further in the future. According to a report of a leading financial services company Credit Suisse Group AG report, the digital payments market in India that stood at $200 bn in 2018, was expected to touch $1 tn by 202310 (see Exhibit I). Whether Paytm would continue to succeed in its efforts to combat cyber fraud in the long run was the question.

The Rise of Paytm
Vijay Shekhar Sharma (Sharma) was an engineering graduate from the Delhi Technological University.11 In 1997, Sharma designed a portal called Indiasite.net and

that he had received a call from a person claiming to be from the Paytm team and asking him to update his KYC. The person had further asked the complainant to share sensitive financial information, which he did. For the next two days, the complainant received several messages of withdrawals, collectively worth 0.12 mn from his bank account, in denominations of 9,999, 4,999 and 2,999.41 There were many similar incidents of Paytm customers being deceived.

There were several instances when Paytm itself was swindled. In December 2016, the Central Bureau of Investigation (CBI),42 on a complaint filed by Paytm, registered a case against 15 Paytm customers for allegedly cheating the company of 0.61 mn. Paytm alleged that those 15 persons were not actually Paytm customers, but only claiming to be its customers. According to Devpreet Singh, CBI spokesperson, "In its complaint, Paytm said that in some cases from March 2014 to April 2016 where refunds were made to the customers, delivery of orders was also successfully made to the same customers. Since the orders had been successfully delivered, refunds should not have been given. The generation of refunds led to a loss to Paytm to the tune of 6.15 lakh (0.61 mn)."43 The case was registered under various sections dealing with criminal conspiracy, forgery, etc., under the provisions of the IT Act.

Paytm also had to grapple with internal security threats-its own employees. In May 2019, a group of junior and mid-level employees at Paytm Mall created a false list of orders and customer profiles to exploit the cash back offers from Paytm. These employees associated with third-party vendors and created small-size counterfeit orders. They used the transactions with the vendors to earn commission. Since the size of these fake orders was small, they managed to escape the attention of the Paytm Mall management. However, Paytm Mall later observed an abnormal pattern of repeated orders from these consumer profiles, which led to an investigation.

According to media sources, the amount of the fraud ran up to about 100 mn. Paytm fired about 10 of its employees for conspiring with more than 100 vendors to execute the fraud. Paytm then delisted those 100 vendors from its business. Following the disclosure of this particular fraud, Sharma accepted that while cash back was a successful model to attract a large volume of customers, a strong technology-driven and secure network was key to preventing fraudulent activities.44

How Paytm Adopted Technologies and Tools to Fight the Fraud
Paytm employed certain IT tools to combat the cyber fraud. These tools included data security measures against fraud, as well as fraud detection systems like Data Encryption, Intrusion Detection Systems and AI. By leveraging these tools, Paytm made sure that the data at Paytm was encrypted and constantly monitored for any fraudulent activities.

Data Encryption
Paytm claimed that it was compliant in terms of security with 'The Payment Card Industry Data Security Standard' (PCI DSS).45 It also claimed that it never stored customers' CVV number46 to ensure their credit and debit card details were completely safe. All financial transactions on Paytm were done with 128-bit encryption47 Secure Sockets Layer (SSL)48 security (see Exhibit X).

Suggested Readings and References

1. "Paytm Says Telecom Companies Should Act Fast to Counter Online Frauds," www.cnbctv18.com, February 27, 2020.
2. "Paytm Payments Bank's New Feature to Safeguard User Accounts," www.cio.economictimes.indiatimes.com, January 29, 2020.
3. "Paytm Payments Bank to Help Spot Apps That May Trigger Fraud Transactions," www.business-standard.com, January 27, 2020.
4. "Paytm Moves Against Fraudsters, Files FIR," www.economictimes.indiatimes.com, January 25, 2020.
5. "Paytm Payments Bank Files FIR Against Cyber Criminals to Prevent Phishing and Scam," www.dqindia.com, January 24, 2020.
6. Tarush Bhalla, "Paytm Payments Bank Submits 3,500 Phone Numbers of Scamsters to TRAI and Home Ministry," www.yourstory.com, January 24, 2020.
7. Malvika Gurung, "Fraud Paytm Employees Rob Rs 5 Lakh from 6 Users in Maharashtra: KYC Fraud Strikes Again (How to Avoid It?)," www.trak.in, January 4, 2020.
8. "Road Map for the New Decade: Creating a Secure Future for Digital Payments," www.economictimes.indiatimes.com, December 28, 2019.
9. Ashwin Manikandan, "Paytm's Vijay Shekhar Sharma Cautions Customers of Scam Messages and Emails," www.economictimes.indiatimes.com, November 21, 2019.
10. Sushruth Sunder, "Paytm 'Fraud': This Big Money Manager Lost Rs 5,000 from Mobile Wallet, Here's How He Got It Back," www.financialexpress.com, November 13, 2019.
11. Akanksha Nagar, "How Paytm is Maintaining Its Leadership Position in the Digital Payment Space," www.bestmediainfo.com, October 14, 2019.
12. Jaime Toplin, "Despite India's Surging UPI, Market Leader Paytm Could Be Ceding Share to Competitors," www.businessinsider.com, August 12, 2019.
13. Vallari Gupte, "Paytm Fires 10 Employees, 100 Vendors after a Cashback Fraud," www.peoplematters.in, May 15, 2019.
14. Paytm Mall Ropes in EY to Fight Fraud Merchants," www.expresscomputer.in, May 14, 2019.
15. Annual-Report-One-97-Communications-Limited -2019.
16. . Sanjay Barot, "What Is SSL? How Do SSL Certificates Work?" www.dzone.com, November 19, 2018.
17. Prateek Roongta and Alpesh Shah, "The Top Five Trends in India's Digital Payment Landscape," www.livemint.com, October 1, 2018.
18. "We Have launched an AI Cloud for India," www.blog.paytm.com, August 21, 2018.
19. "Paytm Wants User Data Stored Locally! The Reason is Not Difficult to Guess," www.businesstoday.in, July 24, 2018.
20. "A Prank Paytm App is Being Used to Scam Shopkeepers by Displaying a Fake 'Amount Sent' Message," www.officechai.com, June 29, 2018.
21. "Paytm Exceeds 100 Million Downloads on Google Play Store," www.bgr.in, December 27, 2017.
22. Shruti Venkatesh and Varsha Meghani, "We Did 600 Days' Worth of Work Over 60 Days: Paytm's Vijay Shekhar Sharma," www.forbesindia.com, March 17, 2017.
23. Neeraj Gangal, "Paytm's Vijay Shekhar Sharma Ranked India's Youngest Billionaire in Forbes's Latest List," www.forbesindia.com, March 22, 2017.
24. "Digital Payment Providers to Fix Firewalls After Paytm Cyber-Attack," www.freepress journal.in, January 13, 2017.
25. . "CBI Registers Case Against 15 Paytm Customers for Rs 6.15 Lakh Fraud," www.thenews minute.com, December 17, 2016.
26. "Fraud - Introduction," www.lawteacher.net
27. www.paytm.com
28. . Tracxn as on September 4, 2019.
29. Business Insider Intelligence Estimates.
30. One97 communications annual report 2018-2019.
31. www.researchgate.net

1. "Paytm Payments Bank Files FIR Against Cyber Criminals to Prevent Phishing and Scam," www.dqindia.com, January 24, 2020.
2. A digital wallet, also known as "e-Wallet", refers to an electronic device or online service that allows an individual to make electronic transactions.
3. SMS is used to send text messages to mobile phones. The messages can typically be up to 160 characters in length.
4. The Telecom Regulatory Authority of India is a statutory body set up by the Government of India under Section 3 of the Telecom Regulatory Authority of India Act, 1997. It is the regulator of the telecommunications sector in India.
5. The Ministry of Home Affairs or the Home Ministry is a ministry of the Government of India. As the interior ministry of India, it is mainly responsible for the maintenance of internal security and domestic policy.
6. The Indian Computer Emergency Response Team is an office within the Ministry of Electronics and Information Technology. It is the nodal agency to deal with cyber security threats like hacking and phishing and was founded in 2004.
7. A 'First Information Report' (FIR) is a document prepared by police organizations when they receive information about the commission of a cognizable offence.
8. "Paytm Moves Against Fraudsters, Files FIR," www.economictimes.indiatimes.com, January 25, 2020.
9. Person-to-Person (P2P) payments is an online technology that allows customers to transfer funds from their bank account or credit card to another individual's account via the Internet or a mobile phone.
10. Prateek Roongta and Alpesh Shah, "The Top Five Trends in India's Digital Payment Landscape," www.livemint.com, October 1, 2018.
11. Delhi Technological University, formerly known as the Delhi College of Engineering, is a premier public university located in New Delhi, India. It was founded in 1941.
12. Founded in 1999, Lotus Interworks is a US-based technology company that deals with hardware, software, systems and applications technologies.
13. Intel Capital is a division of Intel Corporation, set up to manage corporate venture capital, global investment, and mergers and acquisitions. It was founded in 1991 and is based in California, United States.
14. Silicon Valley Bank, a subsidiary of SVB Financial Group, is a US-based high-tech commercial bank. It is one of the largest banks in the US and was founded in 1983.
15. Shruti Venkatesh and Varsha Meghani, "We Did 600 Days' Worth of Work Over 60 Days: Paytm's Vijay Shekhar Sharma," www.forbesindia.com, March 17, 2017.
16. Direct-to-Home television is a method of receiving satellite television by means of signals transmitted from direct-broadcast satellites.
17. Big Data is extremely large datasets that may be analyzed computationally to reveal patterns, trends and associations, especially relating to human behavior and interactions.
18. Artificial Intelligence (AI) is an area of computer science that emphasizes the creation of intelligent machines that work and react
s like humans.
19. Machine learning is the scientific study of algorithms and statistical models that computer systems use to perform a specific task without using explicit instructions, relying instead on patterns and inference.
20. Demonetization is the withdrawal of a coin, note, or precious metal from use as legal tender. On November 8, 2016, 500 and 1,000 notes were demonetized and exchanged for new currency or deposited into banks. These notes made up 86% of the total currency at that point of time.
21. Unified Payments Interface is an instant real-time payment system developed by National Payments Corporation of India that facilitated inter-bank transactions. It was introduced in 2016.
22. UPI ID is a particular address which identifies a person on a UPI. It is also called Virtual Payment Address or VPA. One can make direct bank payments to anyone on UPI using their UPI ID or scanning their QR.
23. Quick Response code is a barcode that is a machine-readable optical label that contains information about the item to which it is attached.
24. These are small stores with a single location or up to three locations often owned by an individual, a family, or a two person partnership.
25. A Business-to-Consumer (B2C) business sells products or services directly to the consumer.
26. "Paytm exceeds 100 million downloads on Google Play Store," www.bgr.in, December 27, 2017.
27. Neeraj Gangal, "Paytm's Vijay Shekhar Sharma Ranked India's Youngest Billionaire in Forbes's Latest List," www.forbesindia.com, March 22, 2017.
28. Jaime Toplin, "Despite India's Surging UPI, Market Leader Paytm Could Be Ceding Share to Competitors," www.businessinsider.com, August 12, 2019.
29. As on March 24, 2020, 1 US$ = 76 Indian Rupees approximately.
30. Annual-Report-One-97-Communications-Limited -2019.
31. Tarush Bhalla, "Paytm Payments Bank Submits 3,500 Phone Numbers of Scamsters to TRAI and Home Ministry," www.yourstory.com, January 24, 2020.
32. The Reserve Bank of India is India's central bank. It controls the issue and supply of the Indian rupee. The RBI, founded in 1935, is the regulator of entire banking sector in India.
33. KYC is an important term used by businesses and refers to the process of verification of the identity of the customers and clients either before or during the start of doing business with them.
34. "Fraud - Introduction," www.lawteacher.net
35. The Reserve Bank of India introduced an Ombudsman Scheme for Digital Transactions, 2019 (the Scheme). It is an expeditious and cost-free apex level mechanism for resolution of complaints regarding digital transactions undertaken by customers as defined in the Scheme. The Scheme was introduced under Section 18 Payment and Settlement Systems Act, 2007, with effect from January 31, 2019.
36. "A Prank Paytm App Is Being Used to Scam Shopkeepers by Displaying a Fake 'Amount Sent' Message," www.officechai.com, June 29, 2018.
37. Twitter is an American micro blogging and social networking service on which users post and interact using messages known as 'tweets'. It was founded in 2006 and as of 2019 it had more than 330 million monthly active users.
38. Sushruth Sunder, "Paytm 'Fraud': This Big Money Manager Lost 5,000 from Mobile Wallet, Here's How He Got It Back," www.financialexpress.com, November 13, 2019.
39. Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
40. A Personal Identification Number (PIN) is a security code for verifying the user's identity, after which he/she is able to use his/her Paytm wallets.
41. Malvika Gurung, "Fraud Paytm Employees Rob Rs. 5 Lakh from 6 Users in Maharashtra: KYC Fraud Strikes Again (How to Avoid It?)," www.trak.in, January 4, 2020.
42. The Central Bureau of Investigation is the premier investigating agency of India. Operating under the jurisdiction of the Ministry of Personnel, Public Grievances and Pensions, the CBI is headed by the Director. It was established in 1963. It deals with all cases in which allegations are criminal in nature (i.e., bribery, corruption, forgery, criminal breach of trust, possession of assets disproportionate to known source of income, and cheating).
43. "CBI Registers Case Against 15 Paytm Customers for Rs 6.15 Lakh Fraud," www.thenewsminute.com, December 17, 2016.
44. Vallari Gupte, "Paytm Fires 10 Employees, 100 Vendors after a Cashback Fraud," www.peoplematters.in, May 15, 2019.
45. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
46. Card Verification Value (CVV) is a combination of features used in credit, debit, and Automated Teller Machine (ATM) cards for the purpose of establishing the owner's identity and minimizing the risk of fraud.
47. 128-bit encryption is a data/file encryption technique that uses a 128-bit key to encrypt and decrypt data or files. It is one of the most secure encryption methods used in most modern encryption algorithms and technologies.
48. SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications.
49. HTTPS stands for Hypertext Transfer Protocol Secure. It is the protocol where encrypted HTTP data is transferred over a secure connection.
50. Sanjay Barot, "What Is SSL? How Do SSL Certificates Work?" www.dzone.com, November 19, 2018.
51. Fallible is an India-based technology company that helps startups secure their systems by continuously monitoring the set-up including external APIs, apps for bugs, and server logs. It was founded in 2015.
52. Application Programming Interface (API) is a set of functions and procedures which allow the creation of applications that access the features or data of an operating system, application, or other service.
53. An Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.
54. "Digital Payment Providers to Fix Firewalls After PayTM Cyber-Attack," www.freepressjournal.in, January 13, 2017.
55. "Paytm Payments Bank to Help Spot Apps That May Trigger Fraud Transactions," www.business-standard.com, January 27, 2020.
56. A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
57. Akanksha Nagar, "How Paytm is Maintaining Its Leadership Position in the Digital Payment Space," www.bestmediainfo.com, October 14, 2019.
58. Cloud Computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.
59. "We Have Launched an AI Cloud for India," www.blog.paytm.com, August 21, 2018.
60. EY is a multinational professional services firm headquartered in London. EY is one of the largest professional services firms in the world that offered financial audit, tax, consulting and advisory services to its clients and was founded in 1989.
61. "Paytm Mall Ropes in EY to Fight Fraud Merchants," www.expresscomputer.in, May 14, 2019.
62. Ashwin Manikandan, "Paytm's Vijay Shekhar Sharma Cautions Customers of Scam Messages and Emails," www.economictimes.indiatimes.com, November 21, 2019.
63. KYB is an extension of KYC laws implemented to reduce money laundering. KYB is a set of practices to verify a business. It includes verification of registration credentials, location, the beneficial owners of that business, etc.
64. Tarush Bhalla, "Paytm Payments Bank Submits 3,500 Phone Numbers of Scamsters to TRAI and Home Ministry," www.yourstory.com, January 24, 2020.
65. A hackathon is a software design sprint-like event often in which computer programmers and others involved in software development, including graphic designers, interface designers, project managers, domain experts, and others collaborate intensively on software projects.
66. A bug bounty program is an event conducted by a website for individual programmers and they can receive recognition and compensation by the website for reporting bugs in the website, especially those pertaining to exploitations and vulnerabilities.
67. Data localization is the act of storing data on any device physically present within the borders of a country. As of now, most of the data is stored in a cloud outside India.
68. "Paytm Wants User Data Stored Locally! The Reason Is Not Difficult to Guess," www.businesstoday.in, July 24, 2018.
69. The Cyber Cell is a departmental body which looks into matters related to cyber crimes.
70. "Paytm Payments Bank's New Feature to Safeguard User Accounts," www.cio.economictimes. indiatimes.com, January 29, 2020.
71. "Road Map for the New Decade: Creating a Secure Future for Digital Payments," www.economic times.indiatimes.com, December 28, 2019.
72. Akanksha Nagar, "How Paytm is Maintaining Its Leadership Position in the Digital Payment Space," www.bestmediainfo.com, October 14, 2019.
73. "Paytm Says Telecom Companies Should Act Fast to Counter Online Frauds," www.cnbctv18.com, February 27, 2020.