Is it time for 3FA(Factor Authentication) in Indian ATM's?

The trigger for this thought is this article Economic Times article

It seems the speakers at the Meet, have a very strong mindset to blame the bankers especially bankers associated with ATM Operations for the fake notes menace.

Maybe the Speakers have not read this article Security Features of Indian Notes

The aim of this article is not to explain what is 1FA(factor authentication) or 2FA(factor authentication) or 3FA(factor authentication) but to analyze the pros and cons of 3FA(factor authentication)

3FA(factor authentication), in simple terms is the verification of the 'User's request' by three separate steps to conform that the 'request' has been raised by the correct user only and not by any 3^rd party.

3FA is not 100% secure, but 99.9999% secure. Nothing in this world is 100% secure.

ATM's in India, currently have 2FA I.e 'something which a user has – ATM card' and 'something which the user knows – PIN (Personal Identification Number)

There is a wide choice for the 3^rd FA(factor authentication),

1. Biometric (UIDAI being the best example) or
2. OTP (One time password)
3. Security Tokens or
4. Card Lock-in options
5. Transaction Authentication

The Pros and Cons of each option in brief are us under :

1. Biometric (UIDAI being the best example)--

PROS :

a) Tools exist to make this reality.

CONS:

a) UIDAI is yet to stabilize.

b) The implementation and the maintenance costs right now are substantial.

100. Biometric verfication tools on a large scale are not common in India.

2. OTP (One time password)--

PROS: -

a) OTP's are becoming common.

b) The implementation and maintenance costs are less

CONS: -

a) OTP features need to be integrated into the ATM network. This is not a big inhibitor as majority of the ATM's are part of the NFS (National Financial Switch) network now. The only factor which might be a stumbling block is the validity time period of the OTP generated I.e for how many hours the OTP generated should be live. Currently the industry average is 2 hours for netbanking non-financial OTP's.

For financial OTP's the life is few seconds.

3. Security Tokens--

PROS:

a) Proven technology

b) Costs are less

CONS:

a) Integration with the ATM's network required.

b) Who will bear the cost of the Security token?

4. Card Lock-in Options--

In simple terms, the Card Locking feature means allowing Bank consumers the option to lock and unlock their bank cards to permit or deny account use at automated teller machines (ATMs) and point-of-sale (POS) devices or on internet sites.

Some Banks have already opted for this feature. Check out at Card Lockin, Diebold cardlock in feature

PROS:-

a) Brand new concept, hence to encourage Banks to hop on to the bandwagon.

b) SMS/Branch/Phone/Net Banking channels can be multiple-touch points for this option.

5. Transaction Authentication. Transaction authentication means using an additional electronic signature generated on the basis of the amount to be withdrawn from the ATM. The electronic signature can be a OTP which is generated only after the amount tobe withdrawn is keyed into the ATM. However, the main draw back is that the time-frame to complete the whole cycle of ATM withdrawal is short and introducing Transaction Authentication in the present setup is a challenge.

26/01/2012 - RTGS/NEFT Closed. IMPS Open

26/01/2012 - India's Republic Day. 
RTGS/NEFT and all other clearing systems are closed for the day i.e 26/01/2012.


So, you can try out IMPS for inter-bank transfers.
Try IMPS, ATM Transfer, Net Banking Transfer, Mobile Banking Transfer alternates for Intra-Bank Transfers.


Enjoy the Republic Day festivities. 

ArrayShield Card - One more weapon from India for Online Security

Today morning while reading 'The Hindu' @ Safe, read about ArrayShield product, Arrayshield Card.

More about this card can be read at the company's website How it works?

In the last couple of months, my focus has been on solutions for safe online banking technologies.

ArrayShield Card has made a beginning in the new direction for 2FA (2 Factor Authentication).

The ArrayShield Card does not rely on Mobiles or RSA tokens, but on a proprietary ArrayShield translucent Card.

The Process in brief is as under :

1. Users choose a memorable pattern (sequence of cells on the array) as their secret and register the same.
2. The User on logging into a ArrayShield enabled protected site, have to overlap the Arraycard, which will display the specific values.
3. The specific values are an OTP (One-time password) which have to be entered on the login page.
4. Every time they log on, they are presented with a challenge Array of random characters, which will be displayed on their computer screen.

ArrayShield Card has been launched very recently and as the usage spreads by word of mouth, more and more websites would be interested in it.

As more and more products are introduced for Safe eBanking, the number of converts from physical banking to eBanking will increase, benefiting the Banks as well as the bank's customers.

Public Holidays in Indian States during the year 2012 - Section 25 of the Negotiable Instruments Act, 1881

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Andhra Pradesh

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Assam

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Bihar

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Chandigarh

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Chattisgarh

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in DADRA & NAGAR HAVELI

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Goa

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Guajrat

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Haryana.

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Jharkand

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in Karntaka

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in KERALA

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in MADHYA PRADESH

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in NEW DELHI

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in ORISSA

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in PUNJAB

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in PUDUCHERRY

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in RAJASTHAN

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in TAMILNADU

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in UTHARAKHAND

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in UTTAR PRADESH

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in WEST BENGAL

LIST OF Bank HOLIDAYS UNDER NEGOTIABLE INSTRUMENTS ACT, 1881 FOR THE YEAR 2012 in JAMMU & KASHMIR

'SafeNet eToken 3500' – New Tool to combat Online Banking fraud. Which Bank will introduce this in India?

Indian bank customers especially internet banking customers are being made aware of the need for efficient security practices.

As the number of internet banking users is on the use, the threats t internet banking too is in on the increase.

It is a cat and mouse game between Indian Banks and the internet fraudsters in the cyberworld.

The most common terms in internet security is the MITM(Man-in the Middle) or MITB (Man in the Browser) scenario.

Safenet, the 'Data Protection Company', as it's punchline, announced the launch of a Comprehensive Solution for Addressing all Risk Levels in Online Banking.

The Solution is 'SafeNet eToken 3500'.

The main differentiator between 'SafeNet eToken 3500'  and its competitors is the ability of eToken 3500 to read transaction data from the web browser and than generates a unique electronic signature that is used to validate the transaction.

Yes,  'SafeNet eToken 3500' , reads the transaction data from the web browser. Well, check out the demo @ Demo

The following are the steps to secure the financial transaction by 'SafeNet eToken 3500'

1. User logs into the Bank's internet banking site by signing with his/her login id and OTP(One time Password) generated by  'SafeNet eToken 3500' .
2. User inputs the Sum of amount tobe transferred along with the Account number.
3. The  'SafeNet eToken 3500'  is to be held to the computer screen and 'SafeNet eToken 3500', reads the amount and the account number.
4. Basing on the same, an Electronic Signature is generated by 'SafeNet eToken 3500'.
5. The Electronic Signature I.e an number is keyed into the Banks internet banking site.
6. If the details tally, the transaction is approved.

The  'SafeNet eToken 3500'  adds an additional security layer to the transaction. The advantage of logging into the banks website with  'SafeNet eToken 3500' , OTP is that the user need not remember his/her password. This frees the banks from investing in Password generation, storing etc job and also ensures that the log-in is safe 100% every time.

Hm, not sure, when this will be introduced in India?

What is (Man in the Middle attack) MITM scenario? 

(Man in the Middle attack) MITM is an attack in the cyberworld, which involves intercepting a communication between two systems.

The motive is to intercept the exchanged data and inject false data. The false data in internet banking can be a change in the intended beneficiary or the amount of the respective transaction.

The man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.

How did the (Man in the Middle attack) MITM gets its name?

The attack gets its name from the ball game where two people try to throw a ball directly to each other while one person in between them attempts to catch it. In a man in the middle attack, the intruder uses a program that appears to be the server to the client and appears to be the client to the server.

What are the various techniques to thwart (Man in the Middle attack) MITM?

Popular protection techniques against MITM attacks use authentication tools that are based on:

Public key infrastructures : -

such as:

1. Secret keys (which are usually high information entropy secrets, and thus more secure), or

2. Passwords (which are usually low information entropy secrets, and thus less secure)

3. Latency examination, such as with long Cryptographic hash function calculations that lead into tens of seconds; if both parties take 20 seconds normally, and the calculation takes 60 seconds to reach each party, this can indicate a third party

4. Second (secure) channel verification

5. One-time pads are immune to MITM attacks, assuming the security and trust of the one-time pad.

6. Carry-forward verification

What is (Man in the Browser) MITB  scenario?

In (Man in the Middle attack) MITB, a trojan infects the web browser, and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.

Security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions, will not thwart (Man in the Middle attack)  MITB attacks.

The only way to repulse a (Man in the Middle attack)  MitB attack is by utilising transaction verification.

As the (Man in the Middle attack) MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., it is therefore virtually undetectable to virus scanning software.

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. T

Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. Transaction Verification has to be done by an Out of Band (OOB) mechanism to counter (Man in the Middle attack) MITB attacks.

National Financial Switch(NFS) gets a new member - The A P Mahesh Co-operative Urban Bank Ltd., Hyderabad.

The A P Mahesh Co-operative Urban Bank Ltd., popularly known as 'Mahesh Bank', has joined NPCI’s National Financial Switch (NFS) network on 30 th December 2011.

The bank has a network of 36 branches, 28 in the twin cities of Hyderabad and Secunderabad and one each at Khammam, Vijayawada, Guntur, Rajahmundry, Visakhapatnam, Warangal in Andhra Pradesh., Jaipur in Rajasthan and Mumbai in Maharashtra.

Mahesh Bank's customers can now access their bank accounts through 86,000+ ATMs of 63 other banks which are already in the NFS network.

Mahesh Bank commenced operations in 1977, and its customers base is basically traders. Towards this end, it has also opened branches in Jaipur and Mumbai, both major trading centres.

Mahesh Bank started its life as Primary Co-operative Society on 30th June, 1977.

In 1996, the Bank was accorded SCHEDULED STATUS by Reserve Bank of India from 26th October, 1996 - the first Co-operative Bank to be accorded this status in the entire South India.

In 2001, the Bank got itself registered as a Multi-State Co-operative Bank under the Multi-State Co-operative Societies Act, 1984 with effect from 30.05.2001 - again the first Co-operative Bank in South India.

As Mahesh Bank is on an expansion spree, with RBI permitting the bank to extend its area of operation to the entire States of Maharashtra, Rajasthan and Gujarat, the NFS route will enable it to attract more customers into its fold.

Delhi Metro to Provide Smart Card Recharge Facility at AFC Gates

As the usage of Contactless Smart Cards by Delhi Metro Commuters is on the rise, Delhi Metro is looking at innovative ways to smoothen the recharge process.

Towards this, Delhi Metro is procuring the latest AFC (Automatic Fare Collection) gates, which will have the capacity of automatic top up of smart cards through the bank accounts of card holders (electronic clearance system (ECS).

The complete Press Release can be read @ http://www.delhimetrorail.com/press_reldetails.aspx?id=GpDr4c0GlYklld

As per the proposed process flow, for customers availing this facility, when the balance of a smart card goes down to the pre defined value or the minimum amount, the specific AFC gates will add pre defined amount into the card automatically.

Later on, the deducted amount will be collected from the card holder’s bank account by the Metro fare collection system. I am not sure, what will happen if there is no balance in the card holder's bank account at the time of debit.

In addition to this, DMRC is also developing a new technology through which Delhi Metro commuters will be able to recharge their smart cards through various options such as net banking, credit cards, debit cards. DMRC is also procuring Add Value Machines for recharging the smart cards at the stations through net banking, credit cards, debit cards.

'Add Value Machines', can be said to reverse ATM's, which accept Cash and credit the equivalent value to DMRC Contactless Cards.

Like all good things in life, these new features are not instantly available, but will be 'live', within this calendar year I.e 2012.

Currently, tokens and smart cards can be purchased or recharged only by paying cash at the specified counters, machines or customer care centers at Metro stations.

The Smart cards are very popular in Delhi Metro as DMRC is providing 10% discount on fares on use of the smart cards and many stations have dedicated exit gates only for card users.

Now book your Indian Rail Tickets - ANYWHERE ANYTIME through your Mobile Phones. Wanna try?

Now book your Indian Rail Tickets - ANYWHERE ANYTIME through your Mobile Phones.

Wanna try?

IRCTC has taken another step to popularize Electronic Tickets. Currently, 50% of Long distance tickets are in the electronic mode. With the new feature of booking railway tickets through Mobile Phones, the share of electronic tickets is bound to go up.

The best part of this feature, is that there is no need for the consumer to download any App to their mobile phone. They can directly log into the mobile website with the same password and ID, as used for internet rail tickets booking.

IRCTC brings to you the mobile website https://www.irctc.co.in/mobile with just a few clicks you can book your tickets using your Mobile Phones.

IRCTC mobile website is convenient and easy to use, can be accessed from any browser enabled mobile having basic GPRS activated on phone.

The following features are available:

Book Ticket/ Enquiry- Book tickets by providing source and destination.

Booked History- Tickets whose Date of Journey is due will be visible.

Cancel Ticket- Cancel any of the tickets whose date of journey is due.

Browse the URL using your mobile and book tickets using any of your credit/debit card for payment.

Help for booking

1. Login to URL with your existing IRCTC user id and password.

2. Fill in details for plan my travel.

3. Select the train and continue the booking.

4. Use existing passenger list on add passengers.

5. Confirm booking details and pay through Credit/debit card to get successful booking.

6. Receive a SMS and an email from IRCTC with the complete travel details.

7. Receive a SMS from your Bank/Credit Card Issuing Bank for the amount debited from your Credit/Debit Card.

Reference : Railway Board Letter No.2008/TG-I/10/P/SMS dated 20.07.2011

              Electronic Reservation Slip (ERS) - The printout in standard specified Performa containing reservation particulars, and instructions for use which can be used by the passenger along with the relevant authorized Identification, as travel authority for performing the journey.

           

............................

         Virtual Reservation Message (VRM) - A screen-shot of the e-ticket displayed through laptops/palmtops/ Mobile phone is referred as Virtual Reservation Message (VRM).

                 ERS/VRM along with any one of the nine prescribed ID proofs in original and the indication of the passenger(s)' name(s) in the Reservation Chart will authorize the passenger to travel.

               VRM combined with valid photo-id in original will be treated as an instrument on par with the ERS. 

                ERS/VRM along with one of the nine prescribed proofs of identity in original will also authorize the passenger to enter the platform on the day of journey and he/she will not be required to purchase platform ticket. ERS/VRM along with original id proof will be required to be produced on demand of Ticket Checking Staff on the platform.

Evolving Customer friendly Payment Systems in India – a continuing agenda

Today's Post is on the Inaugural address by Shri G.Padmanabhan, Executive Director, Reserve Bank of India on the occasion of the launch of Mobile Banking services by Tamilnad Mercantile Bank Ltd on 9 January, 2012 at Chennai.

The complete Speech can be accessed at http://rbi.org.in/scripts/BS_SpeechesView.aspx?Id=652

Many new ideas in the Indian Payments Arena have been outlined in the speech.

On a quick reading, the ZERO LIABILITY/Limited Liability feature adopted by major credit card issuers in USA seems to be the highlight of the speech.

What is Zero Liability/Limited Liability feature in Credit Cards ?

In simple terms, Zero Liability can said to be a valuable benefit for consumers, virtually guaranteeing protection against card fraud.

Of course like all good things in life, Zero Liability has its own terms and conditions. The terms and conditions can said to be

1. of the Card Issuing Company I.e Visa or Master or American Express or Diners
2. of the Card Issuing Bank

There is a view that Indian credit cards holders should be offered the benefits of 'Zero Liability' feature. This has started and HDFC Bank Platinum Plus Credit Card holders and HSBC Gold Credit Card holders can enjoy this feature. It is to be noted that the 'zero liability', starts only the card holder informs his/her Bank the loss of the credit card has been reported to the Bank in writing or to the VISA / MasterCard Global Emergency Assistance Helplines.

A similar facility is offered by all Credit Cards Issuing Banks to their high-end credit cards.

To increase the confidence of the credit cards holders in credit card transactions, the speech suggests that the 'zero liability', feature be extended to all credit card holders as long as the customer has adhered to all the risk measures prescribed by the bank, but yet unauthorized transactions have taken place in his/her credit card account.

Hm, which bank will be the first one, to offer this facility.

Savings bank a/c number portability in India on anvil: Indian FinMin. This should be real by 2018

A simple definition of 'Portability' is a thing which can be carried or moved with ease. Portability in another sense is 'Capable of being transferred from one employer to another. Used of an employee benefit'.

In India, in recent times the word 'Portability', is familiar with Mobile subscribers and Health Insurance Policy Holders

Now, the word 'Portability', will be extended to the Banking Customers too. The Indian Finance Ministry is working on savings banks account number portability. Savings Banks accounts portability, will allow a customer to retain his account number while changing his bank.

Financial Services Secretary D K Mittal said, “We want to do it (savings a/c number portability). Right now there are some technical problems...we have identified them. We will overcome them soon," .

He was speaking after a meeting in the Ministry, which among others was attended by Economic Affairs Secretary R Gopalan, Finance Secretary R S Gujral and Chief Economic Adviser Kaushik Basu. He said banks would have to work on identification code, know your customers (KYC) norms and core banking solution (CBS) for implementing the savings bank account number portability.

An idealistic Savings Account Portability Scheme should have following features : -

1. There should no change in the account number.
2. The account should be transferred withing 10 working days.
3. There should be no suspension in the account operations.
4. The existing Debit Card and Cheque Book can be continued to be used.
5. There should be no disruption in related electronic payment transactions i.e., RTGS/NEFT Credits, ECS Debits, etc.
6. There should be no disruption in the credit history of the account holder.

What is required for the Savings Account Number Portability to take off in India?

a) The Banks should be 100% on CBS(Core Banking Solution).

b) There should be uniform number of digits in the account numbers across all the participating banks.

100. A third-party KYC(Know Your Customer) organization responsible for certifying the adherence to KYC norms. A beginning has been made in SEBI regulated markets towards this end.
101. A robust Identification Code to recognize the savings accounts of Participating Banks. A start can be made by incorporating the MICR Code or the Pin Code in the new account numbers. 
     
     
     d) Robust Risk Management including Fraud prevention techniques.