Securing Instant or Real-Time Payment Systems

Insight categories: SecurityConsumer and Retail

Online shopping and digital apps have changed consumer spending patterns, and today, shopping is no longer limited to in-person transactions during regular business hours. Retailers face new challenges with fund transfers as merchants and app partners require faster, more reliable money transfer systems to meet consumers' evolving demands.

Traditional electronic payments bank transfers are not in line with user expectations. Instant payments are expected to become the standard mechanism for electronic fund transfers, merchant payments, and digital transactions.

Instant payments (also called real-time payments) are a method of exchanging money and processing payments that involve the transfer of funds across bank accounts in real-time rather than a couple of business days. Several countries have implemented instant payment systems and platforms due to the increased need for faster and more reliable transactions. Some notable examples of instant payment systems worldwide include Unified Payments Interface or UPI from India, New Payments Platform or NPP from Australia, Pix from Brazil, etc.

These services have become ubiquitous in their respective areas of operation and have cornered a large market share in the digital transactions space. They also provide many advantages such as 24x7 availability, transaction speed, ease of use, low-cost functionality, convenience, versatility, open environment, and safety. 

But this ease of use also comes with its share of security concerns.

This post describes these security concerns and different approaches which can be used to develop a secure system that prevents these services from being misused by criminals.

The Need

Since the advent of COVID-19, the use of real-time payments has risen exponentially. India has led the way with over 25 billion real-time transactions, as UPI payments and UPI-specific payment apps have become pervasive across India. Digital payment options can be found in each nook and corner of India, from luxurious shopping malls to street-side vendors. 

But as real-time payments have increased, the chances of fraud have also grown. The net effect is that the more ways we pay and the more places we interact with payment processors, the greater the opportunities for cybercriminals. The ease and convenience offered to users by these instant payment systems also brings dexterity to criminals, who have discovered the comfort and speed of using it to their advantage. This has led to so-called lightning kidnappings, whereby consumers are forced to make instant transfers to criminals while being held ransom.

In India, UPI payment apps usually come with multiple levels of security – a code to open the app and another PIN to perform the transaction. However, these are not sufficient when both the person and the device (which in most cases is a mobile phone) are held hostage together by criminals.

Possible Approaches to Security

Traditional approaches to cybersecurity react to situations and include rule-based responses such as scanning for a set of ‘known’ indicators that signal an attack, then remediating it. However, this often comes too late.

Given the magnitude of risk exposure, the time for traditional reactive solutions has passed. Machine learning and AI, when combined with behavioral analytics that scan for patterns and inconsistencies, can help financial institutions bolster real-time protection. For example, some helpful patterns include the geolocations where the transactions are being done, time of the day, amount of money transferred, types of accounts transferred to, etc.

Another option for financial institutions is to use Multi-Factor Authentication when the amount transferred or the number of transactions exceeds a certain threshold. However, an important point to note here is that most MFAs implementations require a mobile phone and a PIN to complete the transaction. This is ineffective when a hacker/criminal has access to the person and the mobile phone. 

As a result, the solutions must factor in that both measures will not be available simultaneously. This needs to be thought through, but one option could be the mobile phone of the spouse or an emergency contact person.

In the physical world, we see home burglar alarms with a code to turn off the alarms within a couple of mins when the homeowner opens the door. When someone other than the owner opens the door, he/she will be unaware of the code, and an alarm is sent to the nearest security office/ police station indicating an unexpected home entry. We can take this to the online world by allowing users to set an alarm code that will go off when an unexpected transaction occurs and block the user's account, which can be prevented only by entering a secret code.

Sometimes, fraudsters request money through QR codes by duping gullible sellers of physical items on online marketplaces. Users must be careful and double-check the purpose and amount whenever a PIN code or MFA is needed for instant payment through QR codes. 

The end user can take precautions against fraud, as well. These are not elegant solutions, but provide a way to secure the major funds in a better way. 

One approach is to use a separate bank account with limited funds for online transactions. This way, crooks would have access to only a part of the total amount, resulting in lower losses. Another approach is to use different devices for communication and online transactions. A separate mobile phone can be linked to bank accounts and instant payment systems that can be stored securely from unauthorized use. A third approach is to have a separate security device for transactions – one that is not carried all the time during travel and is required for high-value transactions beyond a certain limit.


Instant payment systems have proved to be a boon for both consumers and businesses that use them to efficiently transfer money across users. However, this also introduces new ways these technologies could potentially be misused by criminals. Financial institutions and users themselves have work to do to better secure the payment system, as well as individual payments.

Learn more:



Arun Viswanathan

Principal Architect, Technology

View all Articles


Rahul Barik

Senior Solution Architect, Technology

View all Articles

Trending Insights

If You Build Products, You Should Be Using Digital Twins

If You Build Products, You Should Be Using...

Digital TransformationTesting and QAManufacturing and Industrial
Empowering Teams with Agile Product-Oriented Delivery, Step By Step

Empowering Teams with Agile Product-Oriented Delivery, Step By...

AgileProject ManagementAutomotiveCommunicationsConsumer and RetailMedia

Top Authors

Amit Handoo

Amit Handoo

Vice President, Client Engagement

Ravikrishna Yallapragada

Ravikrishna Yallapragada

AVP, Engineering

Lavanya Mandavilli

Lavanya Mandavilli

Principal Technical Writer

Oleksandr Fedirko

Oleksandr Fedirko

Senior Solution Architect

Mark Norkin

Mark Norkin

Consultant, Engineering

All Categories

  • URL copied!