Rediff.com« Back to articlePrint this article

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

A look at the features of your password protection policy that compromise online decit/credit card transactions and how to secure them.

What is verified by Visa (VBV)/Master Card's Secure code (MSC)?

In 2009, RBI had made it mandatory to have an additional authentication pass code verified by VISA or MSC (Master Secure Code) mandatory. The purpose of this was to provide extra security for customers while they shopped online and for banks, this was an extra security blanket to curb misuse of cards while shopping online.

This double verification is in effect from August 1, 2009 onwards wherein whenever a customer makes an online transaction, he will have to enter this additional password -- VBV. Verified by Visa or MSC. MasterCard SecureCode -- that will be provided by the merchant.

The author, Govind Rammurthy, is MD and CEO of eScan

Click here for REdiff RealTime News on identity thefts 

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

As the cardholder will only know this additional password, in case the card is lost, it will be difficult to misuse the card for online transactions.

To use the facility, you...

Using this facility is as easy as using a PIN for ATM transactions.  

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

How does VBV / MSC work?

VBV / MSC provides you with a password to protect your online transactions, just like you use your PIN at an ATM. Here are the steps.

1. Select the goods or services you want from a VBV / MSC online store and proceed to the payment page.

2. Enter your debit/ credit card number and the online store will connect with your issuing bank to check whether your card is secured with VBV/MSC.

3. The issuing bank initiates a VBV/MSC pop-up window on your computer screen that includes your personal message.

4. Look for and confirm your personal message, then enter your password. The issuing bank will then confirm your identity to the merchant.

5. Your payment is authorised and your order is placed.

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

Is it that simple?

Unbelievable but for people with malicious intent, it is also a simple task to change your password and do online shopping.

How does it work?

Before we delve into the darker details, we have to understand one that every human being has the tendency to forget the password and the only way out is the 'Forgot Password' facility.

Every system deploys variety of algorithms to ensure...

1. Identity of the subscriber

2. Allow the subscriber to change the password

3. Notify the subscriber about password change.

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

Though there might be a slight change in the above-mentioned steps, wherein the issuer may send across either the plain text password, which in itself is a security risk or may send across a password reset link.

Since your debit/credit card is directly associated with the finances, we would expect a much tighter security for password recovery but it is not so.

The basic requirements for resetting a VBV/MSC password are.

1. Card no: displayed on the card and available on the magnetic strip.

2. Expiry date: displayed on the card and available on the magnetic strip.

3. Name: displayed on the card and available on the magnetic strip.

4. CVV: displayed on the card and available on the magnetic strip.

5. ATM pin: displayed on the card and available on the magnetic strip.

6. DOB: date of birth is not available anywhere on the card.

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

Most of the data required for 'Password Reset' is present within the debit/credit card itself, except for the 'Date of Birth'. It is the only secret, which is known and disclosed almost everywhere. Whether its social networking sites or surveys or your insurance, you name a service and that service will have your date of birth.

DOB should never be a secret, which can be used for authentication purposes, let alone a card verification service.

Troubles are not yet over, what is more surprising is that after the password is successfully changed, there is no intimation either by e-mail or by way of an SMS, that your password has been changed.

No protection has been offered against brute force guessing.

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

Precautions to be taken by debit/credit card holders

1. Never dyour debit/credit card details

2. Never provide a photocopy of your debit/credit card to be used as an identity proof

3. Ensure that your debit/credit card is swiped on the merchant POS and not on any other machine/system, especially at shopping malls

4. Enable mobile alerts and notify your bank immediately upon suspicion of a fraudulent purchase/s

Banking online? How to avoid identity theft

Last updated on: March 12, 2012 07:14 IST

What should debit/credit issuing companies be doing about this?

1. Should be OTP (one time password) based and should be integrated with the registered mobile number.

2. Brute force or auto look-ups should be negated by using Captcha.

3. Failed attempts should be counted and intimation should be provided on the registered mobile/e-mail. A delay in 'change password' by a few hours during failed attempts would discourage such nefarious activities and give time for prompt action by the original cardholder.

Banks providing zero Liability to the customers is a good idea. However, the very foundation of this feature is based on an insecure security practice, such as 'Forgot Password'.