State Bank of India (SBI) has read the riot act to its net-banking account holders---please register your mobile number on or before 30 November 2018 at the pain of losing the net banking facility from 1 December 2018. While this is welcome, it is surprising that the bank has allowed net banking payments to go through all these years without the additional layer of protection---OTP (one-time password) sent through one’s mobile. One understands that SBI has been taking this precaution for large net banking payments and that the recent tightening of norms is only for smaller payments.
OTP sent through one’s mobile number is an additional layer of protection. Kotak Mahindra Bank allows a customer to log into his net banking account only if he first uses his ID (identity) or nickname, either of which should be authenticated by a password. Once this barrier is crossed, the OTP is sent.
Without an OTP, a customer cannot access his net banking account. Hackers might have successfully penetrated the bank’s system to access the account holder’s user ID and password but would be frustrated and baulked by OTP which will land in the mobile set of the account holder who would not only immediately know that a hacker is at work but also that he has been halted in his tracks.
To be sure, for small payments (Rs 2,000 or less) to merchants through their payment gateways, the bank relaxes the guard if the account holder has volunteered to dispense with OTP which freedom the bank does not invariably allow except for trusted merchant establishments. RBI, however, would do well to mandate the double layering of protection---password followed by OTP---for all payments, small or big.
A few months ago, an unwell homemaker in Bangalore had allowed her hubby to withdraw from Rs 25,000 from a SBI ATM. Not only was the money was not received at the ATM, but the homemaker was nevertheless debited. The bank took umbrage to and shelter under the fact that she had sent her proxy for withdrawal. The consumer court agreeing with the bank absolved it of any liability.
The RBI would do well to rein in ATM fraudulent withdrawals through the time-tested OTP mechanism. Cash in excess of Rs 1,000 should not be made available through ATM machines unless it has been fed with OTP as an additional safeguard. It is easy to manipulate and befool the ATM machine but difficult to fool both the ATM machine and one’s mobile phone.
Banks and consumer courts should not make an issue out of proxies withdrawing from ATMs so long as the double layer of protection against fraud is complied with. As an additional safeguard, if one has withdrawn upto Rs 1,000 during the course of a day without an OTP, he should not be allowed further withdrawals without OTP till the day is over.
At merchant establishments, too, where a customer swipes his card, OTP should be mandated lest the establishment or its employees get to tinker with the machine and glean the card number and the password.
The OTP then presents itself as the panacea for preventing digital payment frauds. It follows the basic auditing principle that an employee should not be allowed to go through with a transaction all by himself. Likewise, involving two devices---ATM machine and mobile---rules out the possibility of fraud unless a person has lost both his card with PIN and his mobile phone simultaneously!
What about mobile wallets and payments through mobile apps? Well, the RBI can mandate OTP being sent to the alternate cell number which could be that of one’s spouse for transactions in excess of Rs 1,000.
Part of the reluctance to make digital payments is attributable to stories of hacking and systems’ failure doing the rounds. The OTP can win over such reluctance. In any case, no precaution is too much if mandated to guard precious amount of money of account holders. Double layering protection with OTP is not security overkill. It is possible that banks’ SMS servers, as well as the mobile operators system, might be overburdened and as a result collapse sometimes, thus stopping the digital transaction or ATM withdrawal at the last minute. It is for this reason that some banks simultaneously send OTP to one’s registered email address as well in addition to one’s registered mobile number.
(The author is a senior columnist and tweets @smurlidharan)
Updated Date: Nov 20, 2018 15:17 PM