Time to upgrade internet banking.
By Rajkamal Rao
Source: The Hindu Business Line
For an industry which spearheaded universal use of the One Time Password (OTP) — and made western banks follow its lead — most Indian banks today are slowly losing their grip on the customer experience. They’re obsessed with security to the point where convenience is compromised, making consumers cringe to even launch their web browsers.
Have you noticed how some banks now use Captchas as early as the login screen? Captchas are those annoying boxes challenging you to decipher an image and key in an obscured sequence of letters or digits that appears on the screen. The idea is to tell bots apart from humans, but seriously, why are banks forcing a Captcha check to return a list of branches or to file an online complaint?
In a world where mobile wallet apps can complete a transaction with just an OTP, most banks continue to utilise four passwords to transfer funds to a new beneficiary: Login/Sign-on, Transaction, Profile, and the OTP, while also imposing cooling-off periods and restrictions on amounts sent.
Further, banks routinely force you to change all these passwords frequently, a heavy burden on our internet culture which is habitually rather negligent about online security. We’re a people who freely give out our mobile and mail IDs to complete strangers, with many of us setting our Android phones to the default swipe to unlock them.
But forcing frequent password changes does not improve security. All it does is make customers game the system by adding an easy suffix or prefix (such as the current month) to the same old password (the name of a child or spouse) and move on. Because these suffixes are difficult to remember, customers are likely to write down the entire password on a piece of paper which is a far bigger security risk.
The truth is that banks can dramatically improve security without unduly burdening the customer. For example, if banks love Captchas so much, why don’t they deploy Google’s free re-Captcha technology which performs the same bot check but with just a simple mouse click?
The “trusted computer” solution, commonly deployed by western financial institutions, is another example of how banks can improve security without taxing the customer. The bank initially asks a customer a series of “challenge questions”, such as, “Who is your favourite actor?”, and stores the answers in its database. It lodges a “cookie” in the customer’s desktop designating it as trusted — and as long as the customer uses this device, she is spared from frequently having to authenticate herself with needless passwords. (Were she to log in from another machine, at a friend’s home, the bank immediately becomes suspicious and asks her for responses to the challenge questions.) This is a far safer and convenient approach than requiring frequent password changes.
Also, it is time that banks spared the customer the burden of having to depend upon the country’s overburdened SMS infrastructure for OTP transmissions. If the OTP is not received within the session window permitted (about three minutes), banks nullify an entire transaction, a frustrating prospect for the consumer.
As a first step, banks must deploy OTP transmission backup solutions so that customers are not anxiously depending upon an SMS OTP, which may never arrive. Some banks already employ a secure app (like Google’s Authenticator) which generates a one-time-code from a customer’s smartphone and have abandoned the public SMS infrastructure altogether. Others send the OTP in a password-protected email as a backup — a simple but elegant solution in case the SMS does not arrive in time. The idea is to make internet banking hassle-free.
Banks could also leverage their sprawling ATM networks to allow customers to generate and print a set of backup OTPs. (Google has championed this solution for years for its two-step password security feature.) For safety, the printed slip would not display the name of the bank. If the customer loses a set, he simply returns to the ATM to generate a new set which automatically invalidates the old set. Because OTP generation is through the customer’s ATM card, the card serves the purpose of the phone when receiving an SMS OTP — an object that the customer owns. Banks can charge customers a nominal fee for this service.
As things stand, engaging with banks at retail branches is already an unsatisfying experience for most customers. Now, engaging online is also becoming so. It’s time that banks upgraded the Indian online banking experience because customers deserve nothing less.
The writer is Managing Director, Rao Advisors LLC, US