Critics to RBI: Don't Ease SecurityRBI's Plan May Increase Fraud, Costs
Even a few weeks after the Reserve Bank of India announced its plan to consider removal of the two-factor authenticationrequirement for small-value transactions up to Rs. 3,000 (roughly $47 USD), security critics continue to react strongly against the notion.
See Also: Faster Payments, Faster Fraud?
While RBI's stated goal is to facilitate easier electronic transactions for consumers, experts believe the move would result not only in increased fraudulent transactions, but also a big loss of investments made in systems and software to enable two-factor authentication.
"Banks may not be able to upload the cost to customers who make transactions of low-value," says Dr. Onkar Nath, information security strategist and former security head at Central Bank. "Hence, it would be an overhead cost on the bank itself, as it would have invested significantly on planning, procuring, deploying and owning a two-factor authentication solution."
Cost Implications 'Significant'
RBI deputy governor H. R. Khan confirms that India's central bank is in discussions with the nation's banks about this new initiative of scaling back authentication methods on electronic transactions, and hopes to have a firm proposal within two months.
But security experts continue to speak up with opposition to this proposal.
"The cost implications for banks will be significant--as most transactions are under Rs. 3,000," says Sriram Natarajan, chief operating officer, card processing & risk management services, Quatrro, "This will not help them realize the full benefit, as banks have already invested in systems and software for one-time passwords."
There are many factors involved in purchasing an OTP, two-factor authentication solution, including the initial pricing and licensing model, infrastructure and hardware requirements. However, Valan S, who heads the service practice at Fortinet, points out that the challenge lies in managing the process and resources required for deploying the same.
"The total cost incurred will vary substantially among vendors," Valan says. "But enterprises can choose the specific type of security solution, depending on the risk associated with various types of transactions and budgetary constraints, while providing reliable evidence of all network related user and administrative activities required for passing compliance audits."
As a measure of investment, Valan indicated a ball park figure: For a 1000-user platform, the bank will spend about Rs 3 lakhs on setting up the SMS platform to create OTP. Besides, there is the application licensing cost which includes upfront purchase costs. Oher costs include support and the warranty that vendors levy, token replacement costs, server purchase and maintenance, shelf decay and administration and deployment.
Valan states that banking CISOs need to also take into account initial setup costs, professional services, account creation and ongoing cost of adding/deleting users.
Mani Kant Singh R, head of IT and security at a Gurgoan-based NBFC, expects anything between Rs 2 million and Rs 3 million needs to be invested for developing a two-factor authentication process, depending upon the volume of users..
One of the risks that Dr. Nath fears is increasing fraudulent transactions. This is because many customers maintain accounts with multiple banks, and so far there is no synchronization of authentication among banks. In addition, the absence of the two-way authentication would lead to chaos in the payments system, he believes.
"Non-availability of two-factor authentication with mobile applications--due to lack of resources and for various operating platforms--would result in major security discrepancies," Nath says.
Natarajan wonders how the expected surge in fraud would be compensated by the incremental benefits of customer convenience. Or, for that matter, from banks enjoying enhanced business.
"While small-ticket frauds will definitely go up, fraudsters are smart enough to figure out a way to spoof the system and conduct a series of big fraudulent transactions," he says. "This will definitely confuse the customer and create an operational nightmare for banking CISOs."
Valan says that repeated small amount transactions and counterfeit cards will also lead to backdoor exploits of online payment systems by fraudsters. For banks, this will prove costly.
Security in the Absence of Two-Factor
So, in the absence of two-factor authentication, how would security leaders ensure small-ticket transactions?
Experts believe that every new solution adds costs to the product or service, which has to be borne either by the provider or consumer. Hardware tokens are not affordable for many; encryption of data is good but not fool proof. So, banks need to put in technologies such as Advanced Innovative CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).
Singh recommends that CISOs have a proactive screening methodology to screen customers with their origin of IP with analytics, which will ascertain a sense of comfort. "In the absence of two-factor authentication, they need to have their next-generation firewall and CRM, which captures data as to who are regular online shoppers and casual surfers," says Singh.
"The only effective step is to have strong back-end fraud controls and monitoring to compensate for the absence of two-factor authentication," maintains Natarajan.