On Fri, Mar 12, 2010 at 6:52 PM, Abhijit Menon-Sen <[email protected]> wrote:
> Has anyone done a security analysis of net banking sites in India? Have > any actual attacks been dissected and documented? Does anyone know what > measures are taken to safeguard authentication information? > > Someone used my mother's net banking account without authorisation, and > the bank (ICICI) says, in effect, "it happens, what can anyone do?". So > I'm just wondering if there's any sensible/safe way to use net banking. > There are two components to security of net banking: (a) security of processes and user visibile security features, and (b) security of the technology platform including databases and their websites. Normal users like you and me can satisfy ourselves of the former, but the latter would need, one would presume, more detailed 'audit' and the analysis of experts. >From my experience ICICI's net banking is quite solid as far as user visible security processes go. Apart from the dual 'login and transaction' passwords, the following 'reassure' me considerably: 1. "Virtual Keyboard" for logging - to protect your username/password on public computers (I would imageine this feature would not be much used as most of us rely on finger memory, but you should highly recommend this to your mother) 2. Apart from the transaction password, it has something called the GRID password that is available on the back of the debit card, and for any third party transfers (even if you had authorized them for an earlier transaction) 3 of the 16 (IIRC) cells from the GRID are queried 3. Adding receipients for transfers needs to go through an authorization through code sent to mobile phone 4. The now enforced Verfied by Visa / MasterCard SecureCode help. etc. >From a end user perspective it certainly feels more robust that HSBC UK online banking (my one other significant net banking experience), where much is hidden behind their "all transaxctions and transfers are subject to our usual fraud detection checks" kind of opacity. I am curious to know if data protection policies and programming security are taken equally seriously... Would love to hear what Kalyan has to say...
