Online Internet banking and financial transactions on most Indian bank
websites is jinxed because every bank out there (atleast the ones I use) insist
on paying their IT vendors to develop software that does not run properly on a
Linux platform.
Their websites will display webpages on FF but verification of online
transactions and shares trading will be supported only on IE. For the
last few days, I've been trying to access the BOB site to change the password for
netbanking but it keeps throwing a "JavaScript Disabled in Browser" error.
Nope, this problem is not restricted to yet another "government bank",
private banks are no better.
The HDFC website is also FF friendly and renders well but try verifying
credit cards for online purchase. Earlier the Netsafe/Verified by Visa/
MasterCard SecureCode pop-up screen used to return a "your browser is not
IE....." message but now it gleefully crashes FF in a very customer friendly
way!
After a whole week of running around between branches and complaining online
and talking to divisional heads... the status quo remains. Frustrated, I used
IE and voila, everything just works. Ughh!!
Supporting transactions for non-IE browsers is almost non-existent and
talking about standards with the bank staff will get the standard response
"yahan sab log Windows use karte hain (here everyone uses Windows)". That is
the managers cue to me : "Yo customer, I dont care about your problem so end
this Linux conversation". Asking to speak to the technical folks will not
materialise --see they would not speak to lesser denizens like me, their
customers.
Yet another private bank, ICICI does not think a second layer of security
verification for credit card transactions online is important. Simply using a
https server is not good enough. A second layer of security for each
transaction should be mandatory. Ideally before approving an online transaction
the merchant website should redirect to a Visa or Mastercard verification page
(via your bank) which will ask you to verify with the CCV pin#, email id,
password, etc... (exact procedure differs slightly from bank to bank) for EACH
transaction. Currently ICICI simply approves the transaction which is a
security lapse on the banks part because someone can
memorize the card number, the expiry date, $name and simply flip over your card
to read the 3-digit CCV overleaf and voila, you just gave a stranger access to
your money!
While we were in Delhi, a restaurant printed the name, the 16-digit CC
number (in all its glory) with expiry date on the POS receipt. So sans the
second layer verification from Visa/MC, anyone with access to the merchants
copy of the CC payment receipt can misuse the card online. All s/he has to do
is memorize the 3-digit CCV number on the back of your card. _That_ is a BIG
security hole. I didnt bring this to the merchants
attention as I didnt want to alert them to a possible route to a financial
fraud.
Now, if ICICI had a II-layer verification, for the online transaction to be
approved the fraudster would need to know your email id, password, answer to
your security question, etc.. before they can (mis)use
your card online. This II-layer verification (besides the IP verification,
etc)) will help to narrow down the culprit(s) to: 1) an internal source who has
access to your bank records, OR 2) social engineering,
where you gave the details to your confidant/relative/friend/family and it was
(mis)used sans your permission.
I suspect that the second layer verification is provided by
Visa/Mastercard only to those banks that pay them for this service and
I've experimented with multiple cards for the _same merchant_ and ICICI is
still approving the online transaction sans the second verification layer. Now,
if a second layer security feature service provided by
VISA and MasterCard is being withheld by not informing and not providing the
service to the customer, then it is a security lapse on the banks part.
The other scary bit with online banking with some Indian merchants is the
practice of auto-debiting your Credit Card for annual
subscriptions. If I want to re-sub to your service, I will. I would
prefer the merchant sending me a email notice instead of directly debiting my
card without my approval or request. This tells me that the merchant is storing
my Card details, without my knowledge and permission, which is not good
security practice and most likely I will not use their service again.
Another problem area is the live trading on BSE. Currently this data is
available deferred live if you use a non-IE browser. The merchants I spoke to
are un-willing to support live trading on a Linux platform, partly because the
share traders and banks are so used to IE that they
dont support any neutral standards or system platforms.
The European Union's Internet accessibility laws are pretty strongly
enforced and India should also have such laws. RBI, http://www.rbi.org.in, has a list of all the circulars sent to all
Indian banks under its jurisdiction, including small branches which as per law
are required to publicly display rules and regulations in B&W on a notice
board within their offices. Maybe a PIL on behalf of the Persons With
Disabilities Act will get browser neutral compatibility standards enforced
across the board in India.
UPDATE: Now the Reserve Bank of India has made it
mandatory to have an extra level of authentication called
VBV (Verified
by Visa) or
MSC (Master Card Secure Code) password.
This password is required to use while you are making an online transaction.
All customers are requested to visit your respective card issuing bank’s
website or VISA/MASTER sites and register your card for Verified by Visa or
Master Card Secure Code to get your password.
For VISA Credit Card registration process, click on the following link
http://www.visa-asia.com/ap/sea/cardholders/security/activate.jsp
For MASTER Credit Card registration process, click on the following link
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/sign_up.html