For an industry that spearheaded the universal use of one-time password (OTP) – and pushed Western banks to follow its lead – most Indian banks today are slowly losing their grip on the customer experience. They are obsessed with security to the point where convenience is compromised, making consumers cringe even to launch their web browser.
Have you noticed that some banks now use Captchas from the login screen? Captchas are those annoying boxes that challenge you to decipher an image and type in an obfuscated sequence of letters or numbers that appears on the screen. The idea is to differentiate bots from humans, but seriously, why do banks force a Captcha check to return a list of agencies or to file an online complaint?
In a world where mobile wallet apps can complete a transaction with a simple OTP, most banks still use four passwords to transfer funds to a new beneficiary: login/login, transaction, profile, and OTP , while also imposing cooling. excluding periods and restrictions on the amounts sent.
Plus, banks routinely force you to change all those passwords frequently, a heavy burden on our internet culture which is usually rather careless when it comes to online security. We are a people who freely give away our mobile and email IDs to complete strangers, many of us setting our Android phones to the default swipe to unlock them.
But forcing frequent password changes does not improve security. All it does is trick customers into playing with the system by adding a simple suffix or prefix (like the current month) to the same old password (the name of a child or spouse) and move on. Since these suffixes are difficult to remember, customers are likely to write the entire password down on a piece of paper, posing a much greater security risk.
The truth is that banks can dramatically improve security without overburdening the customer unduly. For example, if banks love Captchas so much, why don’t they deploy Google’s free re-Captcha technology that performs the same verification by the bot but with a simple mouse click?
The “trusted computer” solution, commonly deployed by Western financial institutions, is another example of how banks can improve security without taxing the customer. The bank first asks a customer a series of “challenge questions”, such as “Who is your favorite actor?” and stores the responses in its database. It deposits a “cookie” on the client’s desktop, designating it as trusted — and as long as the client is using this device, they are spared the hassle of frequently authenticating with unnecessary passwords. (If she were to log in from another machine, at a friend’s house, the bank immediately becomes suspicious and asks for answers to the identification questions.) This is a much more secure and convenient approach than requiring frequent password changes.
Furthermore, it is time for banks to spare the customer the burden of having to depend on the country’s overloaded SMS infrastructure for OTP transmissions. If the OTP is not received within the allowed session window (about three minutes), banks roll back an entire transaction, a frustrating prospect for the consumer.
As a first step, banks should deploy OTP transmission backup solutions so that customers are not anxiously dependent on an OTP SMS, which may never arrive. Some banks already use a secure app (like Google Authenticator) that generates a one-time code from a customer’s smartphone and have completely abandoned the public SMS infrastructure. Others send the OTP in a password-protected email as a backup – a simple but elegant solution in case the SMS doesn’t arrive in time. The idea is to make Internet banking hassle-free.
Banks could also leverage their extensive ATM networks to allow customers to generate and print a set of backup OTPs. (Google has championed this solution for years for its two-step password security feature.) For security reasons, the printed slip would not display the name of the bank. If the customer loses an extension, he simply returns to the ATM to generate a new extension which automatically invalidates the old extension. Since the generation of OTP is done through the customer’s ATM card, the card serves the phone when receiving an OTP SMS – an object that the customer owns. Banks may charge customers a nominal fee for this service.
As things stand, interacting with banks in retail branches is already an unsatisfying experience for most customers. Now so does online engagement. It is time for banks to improve the online banking experience in India because customers deserve nothing less.
The author is Managing Director, Rao Advisors LLC, USA