• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

Plugging The Loopholes

Photo Credit :

The Reserve Bank of India's (RBI) instruction to provide an additional layer of security and authentication for all online transactions is not  exactly the panacea for all that plagues the Rs 450 crore (2008 figure) internet financial transactions space. But can it at least resolve some  of the concerns of exposing yourself to a financial transaction on the internet?

Starting 1 August, the RBI has made it mandatory to provide an extra layer of authentication (password/pin) that is not visible on the  cards. Also, a mandatory online alert for all cardholders has to be in place. Non-adherence to these will be penalised under Payment and  Settlement Systems Act 2007.

Banks say they already had a mechanism in place for banking transactions, but not necessarily for credit cards. "Online banking needs two  passwords - a regular one and a transaction one," says Aniruddha Paul, head-IT change delivery at ING Vysya Bank. "Validating the pin  during a transaction is also important." While that is true for banking transactions, credit card transactions have been far more vulnerable  because the online transaction password for credit cards is the CVV number that is mentioned at the back of the card itself. All other  identification details required for an internet transaction, such as the name of the cardholder and the year of expiry of the card, are  mentioned on the card.

Interestingly, the two transaction verification methods that credit card companies are now banking on - Verified by VISA and MasterCard  Securecode - are a protection against dummy sites but may still be unable to identify a phisher (phishing is a fraudulent practice of  acquiring user names, passwords and credit card details by masquerading as a trustworthy entity in an e-mail or an electronic message)  from a genuine cardholder. Verified by VISA, for instance, asks almost the same verification details of the cardholder as does the  merchant's website (it requires logging in with a unique ID and password, but often people use a common login and password for multiple  sites). So, a buyer ends up filling the same details at two different websites (the merchant's and VISA's). If the phisher has already  accessed those details, he can go through the transaction on VISA's site as well.

A more reliable option is an MP3 player-like device that banks such as HSBC have given their card holders as well as account holders. It  generates an e-code that changes every 9 seconds that has to be fed into the website to verify the card-holder. "With the extra layer,  the probability of fraud will be absolutely minimum (if not zero)," says R. Venkatesh, head-delivery channel for HSBC Bank. Such a device  takes care of phishing, which happens largely at the transaction processing level.

According to CERT-In, an arm of Department of IT, phishing has seen a steep rise from 392 cases in 2007 to 604 in 2008 and an already  reported 312 cases by June 2009. The maximum e-frauds are being conducted by the age group of 18 to 30 years.

"Phishers also use popular themes like Michael Jackson and solar eclipse to lead users to dummy banking sites, where people might end up  giving their bank details," says Amit Nath, country manager of Trend Micro. While this can be avoided only if consumers are careful about  the Web address of their service provider, phishers who steal passwords and login information stored in the PC can be tackled by the  latest internet browsers. Google Chrome (Incognito window) and IE.8 (InPrivate browsing) provide secure windows that do not leave any  trace of the sites visited or login names and transaction passwords in the computer. In the fight for online safety, the RBI regulation may  win a battle or two, but the war is far from over.

(This story was published in Businessworld Issue Dated 10-08-2009)