href="http://dqindia.ciol.com/content/spotlight/2009/209110601.asp">Online
banking in India offers enormous
promise both for banks and their customers. India accounts for around
81 million
href="http://dqindia.ciol.com/content/dq_top20/ind_analysis/101072207.asp">Internet
users, representing a market penetration of just seven
percent. For banks considering offering services online,
India's potential is exciting: Internet usage in India has
soared 1,520 percent since 2000.Â
Yet
realizing the potential of online banking in India is fraught with
challenges:
- Economic, due to a global
href="http://dqindia.ciol.com/content/industrymarket/ciospeak/2009/109022101.asp">recession
and increasingly competitive marketplace
- Cultural, as banks try to
balance long-held traditions with the need to generate profit
- Demographic, by instituting
a “mass over class” approach to providing bank
services to all Indians
- Criminal, as banks and their
customers face increasing threats from fraud cartels and identity
thieves
Lately, it's the economic challenges that impact
href="http://dqindia.ciol.com/content/wifi/2009/109020603.asp">banks
the most. India's public and private sector banks are
striving to halt the escalating costs of doing business. The need to
reduce operating costs has prompted banks of all kinds to find more
cost-effective ways to serve customers. Online banking offers a way to
provide a range of services to anyone with even occasional access to
the Internet. It's vastly more convenient for customers, and
it's much more cost-effective than in-person tellers and call
center agents. How much? An Internet banking transaction is 85 percent
cheaper to process than a typical transaction.ii Â
So why haven't more banks engaged this potentially lucrative
channel?
The
Trust Problem
While only 16 percent of Internet users in India are expected to be
banking users in the short term, that number can grow rapidly if banks
are able to establish trust with an understandably wary public.
But Internet users know the threats are real and spreading. India is
specifically targeted in roughly 10 percent of the world's
phishing scams designed to lure online users to look-alike Web sites,
where they are tricked into providing their personal account numbers,
passwords, credit card numbers and more. In 2008, banks in India were
subjected to more than 400 phishing attacks over the course of a few
months.
A popular technique executed by identity thieves and e-fraud cartels,
phishing scams can be set up quickly at very low cost. On the
Internet's global black market — where stolen
identities are bought and sold 24 hours a day — e-criminals
can even purchase “phishing kits” that enable them
to create a fake Web page that convincingly mimics a bank's
log-in page.
Even in the face of these threats, however, India's banks
simply aren't protecting themselves or their customers.
According to NASSCOM, an IT trade group based in India, more than 80
Indian banks lack the security safeguards they need to thwart attacks
from phishers and identity thieves.v
Foiling
Fraudsters with
href="http://dqindia.ciol.com/content/wifi/2008/108111004.asp">
Two-Factor Authentication
For banks around the world, the answer to establishing trust with
online customers is two-factor authentication. Also known as strong
authentication, two-factor authentication goes beyond simple
username-and-password sign-on, which is easily circumvented by
phishers. Â
With two-factor authentication (2FA), each user provides not just a
username and password, but also a unique one-time password (OTP)
generated by a special security credential. When the bank's
2FA service provider matches the OTP to the customer, then the user is
authenticated.
The latest 2FA solutions are simpler and more convenient for users as
well. OTP credentials are available in a variety of formats, allowing
bank customers to choose the credential that best suits their
lifestyle. These include stand-alone hardware tokens, credit card-sized
form factors, SMS codes for mobile phones as well as a
downloadable application that turns a mobile phone into a OTP
generator.
Because logging on with two-factor authentication requires something
the user knows (his username and password) and something he has (his
2FA credential), it is much more difficult for fraudsters to gain
unauthorized access to accounts. Because of this, 2FA has been proven
to be effective against unauthorized access to online accounts,
stopping potential fraud before customers and banks sustain financial
losses.
Some IT managers may have experienced 2FA in its former iteration as a
costly, self-managed solution that is difficult to scale as user
populations grow. Today's 2FA solutions, however, are
available as cloud-based (or managed) services that drive down per-user
costs while enabling on-demand growth. Managed 2FA services allow banks
and other organizations to achieve TCO savings of 40 percent
on capital expenditures and operational costs, when compared to
traditional on-premise solutions.
Most recently, the costs and logistics of distributing 2FA credentials
to millions of users have effectively been eliminated with the
introduction of mobile applications that transform mobile phones and
PDAs into credentials that generate OTPs on demand. Since most online
bank customers are mobile phone users, they don't have to
carry an additional credential to generate an OTP for strong
authentication. Instead, the device they carry all day, every
day doubles as their 2FA credential, creating a new level of
convenience. And the application costs them nothing.
A
Relationship Built on Trust
For Indian banks aiming to introduce or expand their online services,
establishing trust with customers is a crucial first step.Â
With its proven ability to keep fraudsters and identity thieves from
gaining unauthorized access to customer accounts, two-factor
authentication should be a core part of any bank's online
offering.
As
financial institutions around the world already recognize, 2FA:
- Protects banks and their
customers from financial losses stemming from online account takeover.
Signing on to a 2FA-protected bank Web site requires users to provide
something they know and something they have — a combination
that e-criminals will find difficult, if not impossible, to acquire.
- Is cost-effective and
scalable. A cloud-based 2FA solution keeps implementation and
administrative costs down while enabling deployments to scale on demand.
- Is easy to use. A variety of
2FA credentials — including mobile device-based applications
that provide the ultimate in convenience — make strong
authentication easy for bank customers.
- India's banks have
a promising future online — but only if they provide the
right safeguards against e-criminals. Those safeguards should include
two-factor authentication.
style="font-style: italic; font-weight: bold;">Dr.
Shekhar Kirani is Country Manager of VeriSign India.