RBI proposes two-stage authentication to cut online banking fraud

23 Apr 2014

The Reserve Bank of India (RBI) has suggested that banks introduce a two-stage authentication process to ensure security of online transactions and curb frauds in online banking.

In its report on Enabling Public Key Infrastructure (PKI) in Payment System Applications, RBI has directed banks to inform customers about risks associated with different types of online banking transactions.

''All banks' internet banking applications should mandatorily create authentication environment for password-based two-factor authentication as well as PKI-based system for authentication and transaction verification in online banking transaction,'' RBI said in a web site release.

''In online banking transactions, banks should provide the option to its customers for enabling PKI for its online banking transactions as optional feature for all customers,'' it added.

The RBI technical group has also recommended that banks may carry out in phases PKI implementation for authentication and transaction verification.

Since non-PKI enabled payment systems, such as clearing (MICR and Non-MICR), electronic credit system, credit card and debit cards contributed 75 per cent in volume terms but only 6.3 per cent in value terms in the year 2012-13, the technical group set up by the RBI has suggested that in order to ensure a safe, secure payment system in the country and to ensure legal compliance, digital technology, such as, PKI may be used.

The group also made a detailed study of cloud-hosted Digital Signature Certificate (DSC), Trusted Execution Environment, Hardened-Soft Signatures, Mobile PKI, Portable Security Transaction Protocol and Hybrid PKI Solution developed by the Institute for Development and Research in Banking Technology (IDRBT) as alternative strategies.

The report also highlights, among other things, security features in existing payment system applications and feasibility in implementing PKI in all payments system applications.

''All banks' internet banking applications should mandatorily create authentication environment for password-based two-factor authentication as well as PKI-based system for authentication and transaction verification in online banking transaction,'' RBI said in a web site release.

''In online banking transactions, banks should provide the option to its customers for enabling PKI for its online banking transactions as optional feature for all customers,'' it added.

The RBI technical group has also recommended that banks may carry out in phases PKI implementation for authentication and transaction verification.

Payment systems are subjected to various financial risks, such as credit risk, liquidity risk, systemic risk, operational risk and legal risk.

As customers continue to increasingly adopt electronic payment products and delivery channels for their transactional needs, it is necessary to recognise that security and safety have to be robust, RBI pointed out, adding that any security related issues resulting in fraud have the potential to undermine public confidence in the use of electronic payment products which will impact their usage.