RBI to Ease Transaction Security?Critics Fear Move Would Increase Fraud
The Reserve Bank of India is considering removal of its two-factor authentication requirement for small-value transactions up to Rs. 3,000 (roughly $47 USD). The stated goal is to facilitate easier electronic transactions for consumers. But security experts fear the initiative may actually increase fraud.
H.R. Khan, RBI deputy governor, confirms that India's central bank is in discussions with the nation's banks about this new initiative, and hopes to have a firm proposal within two months. In addition to requiring a username and password, the current two-factor authentication process includes obtaining another one-time password each time a customer logs in to conduct a transaction. That one-time password is sent via SMS to the customer's registered mobile device.
"We are working towards giving a convenience where, up to a limit, second factor authentication is not required," Khan says. "However, there are a few nuts and bolts to be tightened to streamline the process."
The objective of the initiative, Khan says, is to promote a cashless society where people use electronic transactions for most of their needs.
According to industry sources, RBI is the first central bank to introduce such a process of scaling back authentication methods on electronic transactions.
But some security practitioners question the logic behind the move, given that RBI from 2009 to 2011 made two-factor authentication a statutory requirement. If the principal objectives of two-factor authentication are to protect the confidentiality of customer account data and transaction details, as well as enhance confidence in electronic transactions, then why lower the security bar?
Mani Kant Singh R, head of IT and security at a Gurgaon-based NBFC, fears an increase of fraudulent transactions if the RBI carries out its initiative.
"There would be a huge line at customer care with complaints about wrong fund transfers [and] anonymous third-party transactions," Singh says. "This would [also] delay one-time-password transfers, resulting in huge network chokes."
Critics object to removing any layer of security that is critical to ensuring trust in the process.
"The implications of not using two-factor authentication is severe," says Milind Rajhans, assistant general manager-IT and CISO at the A.P. Mahesh Coop Urban Bank Ltd. In Hyderabad. "Using two factors, as opposed to one factor (just the login ID and password), ensures heightened security for online transactions, which helps establish the genuineness of the customer."
Rajhans says the value of the transaction is immaterial if one decides to misuse the online transaction process. Many CISOs consider two-factor authentication to be only moderately secure. Disabling this measure for even small transactions would reduce the confidence of users and lead to business slowdown, critics say.
"RBI's decision will not only increase the volume of fraudulent cases, but also techniques of misuse of the online nuances, which will be difficult to presume," Singh says.
Preparing for Change
If, indeed, authentication is simplified for small transactions, then banking/security leaders need to be prepared both for an increase in electronic transactions and the need to scan them more thoroughly for anomalous behavior, experts say.
"The task of CISOs will lie in identifying the security loop, patching the security lapse, adapting to the cyber law to combat crimes owing to the increased volume of transactions and deploying appropriate risk assessment tools," Singh says.
Singh recommends the use of online transaction analytical tools to track the transaction history of the customer.
In the absence of two-factor authentication, Rajhans believes that CISOs must use SIEM and ISMS security frameworks effectively to ensure secure online transactions at the gateway level.
"Appropriately designed and implemented multi-factor authentication methods need to be deployed," Rajhans says "These are more reliable and stronger fraud deterrents, and are more difficult to compromise and can also prevent network chokes."