Debit card scare: Can a one-time password for ATM withdrawal be the solution?

That as many as 30 lakh ATM/debit cards are compromised is a reason enough for alarm. SMS message from the bank post withdrawal is good from the accounting point of view but from the security point of view it is like bolting the doors after the horses have fled. There is no reason why banks issuing ATM/debit cards should not mandate furnishing of one’s cell number in the application form itself which then should be interwoven into the ATM security architecture. [caption id=“attachment_772733” align=“alignleft” width=“380”]  Reuters[/caption] A parallel can be drawn between ATM withdrawal and internet banking. Techno-savvy banks long ago realised that login ID and password aren’t good enough to prevent internet banking frauds because for a fraudster both are available on successful hacking at one place. They realised that there must be an additional safeguard in the form of a security feature not available as a tell-tale mark in one’s internet banking account. One time password or OTP emerged as the answer. OTP is a one time password with a validity of anything between say 15 minutes to one hour given the fact that a reasonable time is enough to consummate a online payment transaction and that a longer period is dangerous because hackers on the prowl on the virtual world may seize the opportunity to carry out their nefarious designs. And since it is sent to an independent device– -one’s cell phone through telephone lines– -it makes for a robust additional security feature. The beauty of OTP is it is unique for each transaction. It is generated by the bank’s software for the purpose randomly. An account holder might be indolent and not change his password/PIN for years together but if change is built into the system itself as is the case with OTP, it is what the doctor has ordered. Of course, as always there are downsides. Banks incur additional cost on sending sms messages but considering the security it provides both to it and its customer, the expense is worth it. Secondly, it sometimes happens that the sms reaches one’s cell rather late due to snags in tele communication networks but the system itself factors this in when it asks the account holder to call the specified number which automatically gives the OTP in case he doesn’t receive it in the first instance. The OTP regime obtaining for internet banking can and should be replicated for ATM withdrawals. It is a trifle baffling that why the banking regulator RBI did not do it all these years. There are minor issues though which of course should not come in the way of its introduction– – the one going to withdraw must be armed with the cell phone of the account holder. This could be an irritant given the fact that often family members help each other, and the account holder often hands over the ATM card to his kin and discloses the PIN to him. But then as said it is only a minor irritant. Alternatively, biometric cards can become the norm. As it is, it has been conceived of as a rural banking tool with illiterates being unable to remember and use PIN. The truth however is biometric cards’ potential goes beyond rural banking and commends itself as universal adoption given its robust security feature. Biometric features like fingerprints and iris are unique to each individual and therefore can be an excellent safeguard against ATM frauds. But as with OTP, biometric cards also impose additional costs on the banks with ATM machines becoming that much more costly. The downside from the account holder’s point of view is he has to go himself to the ATM and cannot ask his close relatives or friends in whom he has confidence to withdraw on his behalf. This could be a serious limitation especially at times when the account holder’s mobility is limited or ruled out. He may be bed-ridden for example. My vote therefore is for OTP. It is more user-friendly than a biometric card. But that doesn’t mean biometric cards should not be issued.