Banks in India have been traditionally using the “Legally Non Compliant”, “Password based Authentication” for their E Banking requirements. As a result there are frequent customer-Bank conflicts where the customer demands that Bank should undertake the liability on account of Cyber Frauds while the Banks blame the customer for not securing the passwords.
The RBI on the other hand has been urging Banks to improve the authentication methods used by the Banks. Way back in 2001, RBI stated that if Banks donot use Digital Signatures for authentication, they should assume the legal risk for Phishing kind of frauds. They reiterated the same again in 2011 through GGWG (G Gopalakrishna Working Group ) recommendations on Information Security.
After the rap on the knuckles received by the S.Umashankar Vs ICICI Bank adjudication verdict, some Banks started thinking of digital signatures as a means of authentication. But most stuck to the passwords and only enhanced it through a mobile based second authentication for certain key elements of transactions.
On February 28, 2013, RBI again issued a set of guidelines for mitigating the risks in both the electronic payment transactions as well as the Payment card transactions. Apart from reiterating the need for using digital signatures at least for RTGS transaactions of a certain value, RBI in this guideline has spoken about the need for the use of “Adaptive Authentication Technology” .
Banking in India therefore is on the move from the 2 Factor authentication to a regime where apart from the multiple factors that contribute to the authentication of an online transactions, the technology of authentication should adapt to the “behavioural pattern” of the customer based on a real time assessment.
This technology should increase the security for the customers though Banks would grumble as always about the cost of implementation. But since this is the direction in which the global banking is moving , there is no option for Banks but to adopt the “Adaptive Authentication technology”. (AAT)
From the users perspective it should not make any difference. In fact the AAT is expected to be unobtrusive and non interfering. The foundation may still be based in the currently used authentication parameters such as “What the customer knows”, “What the customer has” and “What the customer is”, supplemented with technologies such as the public key encryption etc. But the difference is that the AAT provides a deeper level of security since based on the transaction parameters it will invoke additional security measures.
For example, if a person has never used his E Banking account from abroad and there is a debit request from a foreign IP, the system should get alerted and hold the transaction execution until further confirmation is obtained. Similarly, if the amount withdrawn is far in excess of the usual transaction or the number of transactions within a small time is high etc (All these are typical occurrences in a Phishing transactions), the system should invoke higher levels of security. The higher level of security may be to requisition an additional factor of authentication including a “Call Referral” where the customer is given a telephonic call where the voice of the customer may be recognized by the system for authentication.
Hopefully Bankers will start adopting this higher level of security soon. Today being the second anniversary of the RBI guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as the G Gopalakrishna Working group or GGWG Recommendations), it is the right time for Bankers to take a pledge that they will leave no stones unturned for making Indian Banking Safe. Naavi therefore urges the industry to treat 29th April as the “Safe E Banking Day” and ensure that we remember our obligations and take steps towards protecting the citizens against E Banking frauds.
Naavi