The government of India in partnership with the National Payments Corporation of India (NPCI) launched the *99# service in 2012. It is a convenient way for any GSM mobile phone user to know his or her bank account details and transfer funds using the phone number registered with the banking service.
The *99# service has been around since the last four years, but it is not something banks openly advertise when you're opening an account. Maybe it is present in those terms and conditions documents, in tiny fonts, which many of us don't bother reading. The only other reason one can think of is, banks want to push their own apps for all the functions offered by this service.
The *99# number is an unstructured supplementary service data (USSD) based mobile banking service which brings together NPCI along with banks and telcos. According to the NPCI website, this is the list of participating banks, participating telcos and multi-lingual codes for the *99# service. Using the *99# service, you can check your account balance, mini statement, send money using MMID, send money using IFSC and generate MPIN. It uses your voice connectivity service to transmit data in the form of SMS. And there are no additional charges on roaming to use this service. It can even work on feature phones which do not have internet data connectivity - this is a definite plus for those still not using smartphones and in effect having no access to the bank's mobile application. It works 24x7 and even on bank holidays.
While these services are quite convenient, the entire thing is predicated on the fact your mobile phone / SIM card is always with you. It does stress on the importance of always having a lock on your smartphone, to prevent misuse. And let's face it, we are careless with locking our phones at all times.
But despite four years of being into existence, there is no sort of user validation once you fire up the *99# service for checking account balance and mini statement.
For instance, after entering your bank name and selecting say option '1. Account Balance', you simply get an SMS response with your account balance. Same goes for option '2. Mini statement'. There is no request for putting in a separate PIN. So if someone who has access to your unlocked phone, he or she can easily find out your account balance.
For many, that may not be such a big deal. But to others, even knowledge of their account balance to others can be a matter of great concern. And certainly mini statement which gives details of the last five transactions being shown without any authentication is something to worry about.
Thankfully, fund transfers are protected via a mobile PIN (MPIN) number which the account holder can generate and use. Even while generating MPIN's, according to the NPCI FAQs page, some banks may require you to enter additional data such as last four digits of your account number. The omission of this MPIN authentication while viewing account balance and mini statement is surprising.
The objective may be noble - to let anyone with a GSM number get quick information regarding their bank details. One may also argue that getting access to an unlocked smartphone could give the intruder access to a lot more things, so it is pertinent that a user always takes measures to keep his or her phone secure. Having said that, bank account balance and bank statements are things that are very personal, and should ideally under no circumstances be visible to someone other than the account holder.