The recent breach of MobiKwik, where fraudsters took advantage of technical glitches to make away with over ₹40 crores, highlights the vulnerabilities of digital payment systems. For B2B payment platforms such as Paytm, Google Pay, PhonePe, etc., this particular incident emphasizes the need for improved security architecture, along with proactive risk management practices.

The breach disclosed a key flaw in the transaction validation logic. The application erroneously treated both transactions as successful, even though the payments failed. This enabled the fraudster merchants to credit their own accounts when there was no funding, which produced money out of nothing. The extent of the fraud (2,500 involved bank accounts and ₹8 crores recovered) illustrates how quickly vulnerabilities can be exploited, once discovered.

Critical Security Measures for Digital Wallet Providers

1. Implement Multi-Layer Transaction Verification

Digital payments wallets must have back-up verification mechanisms in place to check the transaction status across several systems. A one point validation is not longer adequate. Payment platforms should have the following:

• Real-time reconciliation engine that matches wallet credit with actual bank debits. It is imperative that a transaction hold is applied upon a mismatch of recorded wallet transactions with the banking partner's recorded transactions.
• Dual verification protocol becomes essential, where confirmation of the success of a transaction is required prior to approval of funds transfer to merchants from wallet provider.
• Automated anomaly detection systems powered by machine learning can detect unusual transaction behaviours, such as multiple transactions that fail but are ultimately successful from the same account and sudden increases in transaction volume from previously dormant accounts.

2. Strengthen Merchant Onboarding and Monitoring

The MobiKwik incident illustrates the potential risks of merchant-facing systems. Payment platforms must improve their merchant onboarding through:

Improved KYC practices that establish more certainty through behavioural analysis, business verification and risk scoring as opposed to traditional documentation. Platforms should connect merchants to tiered levels of access depending on payment history and risk profiles.

Continuous merchant monitoring systems to observe merchant behaviour patterns and identify suspicious activities. Parameters should include the frequency of transactions, average ticket sizes, refunds and the ratio of failed vs. successful transactions.

Merchant account velocity checks that limit the number and value of transactions new merchants can process until they establish a reliable track record. Progressive limit increases can be tied to verified business milestones and clean transaction histories.

3. Implement Advanced Testing Protocols

Before deploying any application, update or features, digital payment wallet providers must conduct thorough security assessments, which include:

Penetration testing specifically designed to find vulnerabilities in transaction validation process. Security teams should try to replicate an environment where failed transactions have been mistakenly classified as being successful.

Chaos engineering practices to negatively affect the application to see how transaction logic will function while application is unfavourably conditioned. This helps identify edge cases that do not occur under normal processing activity.

Third-party security audit and assessment from independent third-party cybersecurity firms are needed to have an independent and unbiased view of security vulnerability and transaction flows.

Account velocity checks for merchant accounts to limit the number of transactions in a period of time and amount of each transaction new merchants can conduct until they can establish a reliable pattern. Increasing levels of velocity in terms of transaction thresholds will be associated with business milestones and transaction history with no anomalies.

4. Deploy Real-Time Fraud Detection Infrastructure

Advanced fraud detection mechanisms are essential for modern payment platforms:

Behavioural biometrics, analyzing user and merchant behaviour to identify deviations from typical patterns (such as keystroke patterns, time of transaction, device fingerprinting, and geolocation).

Network analysis tools that are able to map relationships among accounts to identify fraud rings. For example in the MobiKwik case, funds were funnelled to thousands of accounts at once - this would have raised red flags with advanced network analysis.

Transaction velocity controls that automatically throttle or stop transactions involving a particular merchant or with suspicious activity patterns.

5. Establish Robust Financial Controls

Payment platforms must have scenario-based financial risk mitigations in place to limit exposure:

Settlement hold on high risk accounts so that money can be held while the transaction is de-risked. While this may impact merchant cash flow, it provides a crucial window for fraud detection.

Merchant reserve requirements based on risk assessment, ensuring that platforms have recourse for fraudulent activity discovered after the settlement.

Daily reconciliation procedures to ensure every transaction across all platforms has been verified / deducted prior to end of day processing, to avoid discrepancies being undetected.

The Path Forward

As the MobiKwik experience demonstrated, technical glitches that are exploited result in losses that are too high and reputational damage. The lesson for safe B2B payment platforms is clear: security cannot be an afterthought, and must be built into every aspect of every layer of the technology stack, from transaction processing to merchant management systems.

While digital payments steadily grow in India's financial infrastructure, businesses that invest in their security infrastructure, offer process assisted observability, and continually test their processes will protect them from fraud and build trust with both their merchants and end consumers. In an environment where a single vulnerability could expose crores of rupees in days, security is no longer a luxury; it is a necessity for survival.