Connect with us

NEWS

AI, Identity and Real-Time Payments Rewrite India’s Bank Threat Model

India’s Digital Threat Report 2025-26 warns that AI, digital identity and real-time payments have created new trust-based cyberattack risks for banks.

Published

on

A new government report says Indian banks are being attacked less often but far more expensively, because criminals have largely stopped picking locks and started borrowing the keys. The Digital Threat Report 2025-26, released Monday by the Ministry of Electronics and Information Technology (MeitY), the Indian Computer Emergency Response Team (CERT-In), the Computer Security Incident Response Team in Finance (CSIRT-Fin) and cybersecurity firm SISA, found that attackers are now exploiting the trust between banking systems instead of breaking directly into them.

Cyberattacks against India’s banking, financial services and insurance sector, known as BFSI, have nearly doubled since 2021 and now strike at 1.6 times the global average, separate industry data cited around the report’s launch show. Six of the seven forward-looking predictions in last year’s edition have already come true.

Attackers Stop Breaking In and Start Borrowing Trust

The report’s central claim is blunt. “Modern financial attacks are moving from direct compromise to trust-chain manipulation across biometric onboarding, partner apps, AI decisioning, real-time payments, APIs, programmable finance, and third-party ecosystems,” the report said. Attackers are exploiting the gaps between systems, institutions and workflows, where no single control owner has full visibility.

  • Trust-chain manipulation – attackers exploit the trust between connected systems, such as biometric logins, partner apps and payment APIs, instead of directly breaching one system’s own defenses.

The assessment is the second annual edition of a joint effort involving MeitY, CERT-In, CSIRT-Fin and SISA, a cybersecurity firm that has partnered with the agencies for two consecutive years. It gives financial institutions and regulators an executive assessment of the threats reshaping banking, insurance and digital payments.

To make the pattern legible, the authors introduce what they call an anatomy of cyber failure, a four-layer framework covering design gaps, enforcement gaps, signal gaps and response gaps. It walks through real-world failure chains, from trusted-entry breaches and privilege escalation to business-logic abuse and attack chains that move through parts of a network with no telemetry at all.

Conventional security architecture was built for a different era, one where control sat in a single place and trust had clear edges. That design no longer holds. “Regulatory compliance frameworks are catching up, but they are catching up to an architecture that is itself still evolving,” the report said.

The inaugural edition, published last year, drew about 20,000 downloads and 350 executive briefings, and was showcased at the RSA Conference in San Francisco, SISA said at Monday’s launch.

The Fraud Math Stops Adding Up

Two separate data sets, gathered for different reasons, point the same way. The Reserve Bank of India (RBI) tracks fraud cases worth ₹1 lakh and above in its annual report, and the latest numbers look almost backward at first glance.

Fraud cases fell sharply in the year through March 2026, dropping to 10,114 from 23,722 the year before, a decline of nearly 57 percent. But the money involved kept climbing. Reported fraud totaled ₹48,021 crore (roughly $5.5 billion) for the year, up 46 percent from the prior year and more than four times the ₹11,013 crore recorded two years earlier.

Fiscal Year Fraud Cases Reported Amount Involved
2023-24 (FY24) 35,800 ₹11,013 crore
2024-25 (FY25) 23,722 ₹32,803 crore
2025-26 (FY26) 10,114 ₹48,021 crore

Most of that FY26 jump traces to loan and advances fraud, which made up 85.5 percent of the year’s total value, plus a Supreme Court-driven reclassification of 314 older cases worth ₹30,199 crore. Card, internet and digital payment fraud actually fell across the same three years, according to RBI figures showing loan fraud driving the losses.

The second data set comes from a different place: a Boston Consulting Group (BCG) and Data Security Council of India (DSCI) study cited around the Digital Threat Report’s launch. It counted raw cyberattack incidents rather than adjudicated fraud, finding BFSI attacks in India running at 1.6 times the global average, climbing from 1.4 million in 2021 to 2.9 million in 2025. IBM’s most recent breach-cost research puts the average cost of a financial-services breach at $6.08 million, well above the $4.88 million global average across all industries.

What Is AI Asymmetry, and Why Does It Matter Now?

AI asymmetry is the report’s term for a simple imbalance. Offensive hacking tools built on artificial intelligence are improving faster than the defensive and regulatory systems meant to contain them, letting attackers with modest resources run operations that once required specialist teams and weeks of manual work.

The report points to a real case. In November 2025, Anthropic, the AI company that built the Claude chatbot, disclosed what it called GTG-1002, described as the first reported large-scale, AI-orchestrated cyber-espionage campaign. Adversaries already have equivalent tools in hand, the report notes.

What AI has handed attackers comes down to four things they lacked before: speed, scale, accuracy and autonomy. Phishing messages now read as fluent, context-aware notes nearly indistinguishable from a colleague’s email. Attacks that once took a trained team days to prepare can now be generated, refined and deployed at machine speed.

Payment industry leaders are already ranking the resulting risks. Mastercard’s own research found synthetic identity fraud, impersonation scams and cross-border fraud topping the list of fastest-growing threats for the year ahead, cited by 61 percent, 60 percent and 54 percent of leaders respectively.

The one prediction from last year’s edition that has not fully materialized is quantum risk, though the report notes attackers are already running “harvest now, decrypt later” operations, stealing encrypted data today to crack once quantum computing matures.

One Compromised Identity, Every Door Open

Identity sits at the center of the report’s warning. Indian banks increasingly rely on biometric logins, continuous authentication signals and token chains that link one system to the next, letting customers move between a bank’s app, a lending partner and a payments platform without a second login.

When identity becomes the primary control plane for access and transactions, built on biometrics, continuous authentication signals, and cross-system token chains, a single identity compromise no longer affects one account. It provides broad, persistent, cross-system access.

That is the report’s own language. It describes what a single stolen fingerprint scan or hijacked session token can now do: open a chain of accounts across institutions that never directly shared infrastructure.

The pattern is not unique to India. Zac Cohen, chief product officer at identity verification firm Trulioo, described synthetic faces, voices and behavior deployed in concert during a March interview with payments outlet PYMNTS.

“What I worry about is really the ability to use them in concert together,” Cohen said. “Point solutions will always fail against a multidimensional attack.”

Other governments are racing to make digital identity itself a piece of national infrastructure. Costa Rica has moved to make a national digital identity credential mandatory for residents starting in 2027, built on the same biometric and token systems India’s report now flags as an attack surface.

A Breach Can Now Hide Behind a Clean Dashboard

Compliance monitoring built to prove a clean security posture can itself be turned against the institution using it, the report warns.

Compliance monitoring that relies on control signals becomes “weaponisable,” in the report’s words, because attackers can suppress logs, manipulate alert thresholds and maintain the appearance of a clean posture while operating inside a compromised environment.

The finding lands at an awkward moment for compliance teams already rethinking how they work. A separate analysis of financial crime compliance has argued that operating models need rebuilding before artificial intelligence gets layered on top of them.

No Single Institution Owns the Whole Mesh

“The threat surface is no longer a perimeter,” the report said. “Instead, it is a distributed continuous shifting mesh of relationships across partners, platforms, models, APIs and infrastructure layers.” None of it sits under one institution’s full ownership or control, the authors add.

Third-Party Vendors Widen the Gap

That gap in ownership is where mid-sized lenders and smaller fintech firms sit most exposed. The BCG and DSCI study found these institutions face the highest exposure of all, largely because of comparatively lower cybersecurity spending than larger banks.

Supply-chain compromise already shows what that looks like in practice. The report cites a 2025 breach at a single technology vendor that hit more than 70 United States banks and credit unions, exposing more than a million customer records.

The report wants identity governance to stretch beyond human customers, covering service accounts, machine identities and the agentic AI systems banks are beginning to deploy internally. The idea of an AI system carrying its own persistent identity is no longer theoretical. A separate platform, a conversational AI identity system called AI YOU, launched earlier this year built on exactly that premise.

CERT-In’s Own Scale of Response

CERT-In’s broader workload shows the size of the job behind the report. The agency ran 122 cybersecurity drills across roughly 1,570 organizations and trained more than 20,000 officers and security professionals in its most recent activity period.

MeitY Secretary S. Krishnan told the launch event that cybersecurity should be treated as an organization-wide business risk rather than only a technical function, and called for stronger identity and access management across the sector.

The Roadmap Begins With Liveness Detection

The report does not just diagnose the problem. It lays out an 18-month roadmap across three horizons, starting with foundational controls like phishing-resistant multi-factor authentication before moving toward longer-cycle shifts such as passwordless authentication and post-quantum cryptography migration.

Four recommendations stand out:

  • Make active liveness detection the default standard for digital onboarding, replacing static photo or document checks.
  • Adopt continuous session assurance through behavioral biometrics, device posture monitoring and token binding for high-privilege sessions.
  • Extend identity governance beyond human customers to service accounts, machine identities and agentic AI.
  • Enable cross-database identity verification for high-assurance account openings wherever legally feasible.

The report also sets supervisory priorities for 2027, including adversarial-robustness testing before AI is deployed in consequential financial decisions and treating AI agents as privileged identities subject to continuous monitoring.

Dr. Sanjay Bahl, CERT-In’s director general, put it more simply at the launch. “You have to follow some basic hygiene that is the first step and secondly the way the threat actors are evolving,” he said.

Europe is testing a similar idea from the liability side. Draft EU payment rules under discussion would make payment providers liable for authorized transfers triggered by impersonation scams, shifting the question from whether a payment was technically authenticated to whether the provider should have flagged it first.

Darshan Shanthamurthy, founder and chief executive of SISA, called the report “very forward looking” in comments to ANI, a wire service, adding that it should help the global cybersecurity community too. He cautioned that cyber threats keep evolving faster than organizations can respond.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending