Online banking and browser neutral accessibility standards
Online Internet banking and financial transactions on most Indian bank websites is jinxed because every bank out there (atleast the ones I use) insist on paying their IT vendors to develop software that does not run properly on a Linux platform.
Nope, this problem is not restricted to yet another "government bank", private banks are no better.
The HDFC website is also FF friendly and renders well but try verifying credit cards for online purchase. Earlier the Netsafe/Verified by Visa/ MasterCard SecureCode pop-up screen used to return a "your browser is not IE....." message but now it gleefully crashes FF in a very customer friendly way!
After a whole week of running around between branches and complaining online and talking to divisional heads... the status quo remains. Frustrated, I used IE and voila, everything just works. Ughh!!
Supporting transactions for non-IE browsers is almost non-existent and talking about standards with the bank staff will get the standard response "yahan sab log Windows use karte hain (here everyone uses Windows)". That is the managers cue to me : "Yo customer, I dont care about your problem so end this Linux conversation". Asking to speak to the technical folks will not materialise --see they would not speak to lesser denizens like me, their customers.
Yet another private bank, ICICI does not think a second layer of security verification for credit card transactions online is important. Simply using a https server is not good enough. A second layer of security for each transaction should be mandatory. Ideally before approving an online transaction the merchant website should redirect to a Visa or Mastercard verification page (via your bank) which will ask you to verify with the CCV pin#, email id, password, etc... (exact procedure differs slightly from bank to bank) for EACH transaction. Currently ICICI simply approves the transaction which is a security lapse on the banks part because someone can memorize the card number, the expiry date, $name and simply flip over your card to read the 3-digit CCV overleaf and voila, you just gave a stranger access to your money!
While we were in Delhi, a restaurant printed the name, the 16-digit CC number (in all its glory) with expiry date on the POS receipt. So sans the second layer verification from Visa/MC, anyone with access to the merchants copy of the CC payment receipt can misuse the card online. All s/he has to do is memorize the 3-digit CCV number on the back of your card. _That_ is a BIG security hole. I didnt bring this to the merchants attention as I didnt want to alert them to a possible route to a financial fraud.
Now, if ICICI had a II-layer verification, for the online transaction to be
approved the fraudster would need to know your email id, password, answer to
your security question, etc.. before they can (mis)use
your card online. This II-layer verification (besides the IP verification,
etc)) will help to narrow down the culprit(s) to: 1) an internal source who has
access to your bank records, OR 2) social engineering,
where you gave the details to your confidant/relative/friend/family and it was
(mis)used sans your permission.
I suspect that the second layer verification is provided by Visa/Mastercard only to those banks that pay them for this service and I've experimented with multiple cards for the _same merchant_ and ICICI is still approving the online transaction sans the second verification layer. Now, if a second layer security feature service provided by VISA and MasterCard is being withheld by not informing and not providing the service to the customer, then it is a security lapse on the banks part.
The other scary bit with online banking with some Indian merchants is the practice of auto-debiting your Credit Card for annual subscriptions. If I want to re-sub to your service, I will. I would prefer the merchant sending me a email notice instead of directly debiting my card without my approval or request. This tells me that the merchant is storing my Card details, without my knowledge and permission, which is not good security practice and most likely I will not use their service again.
Another problem area is the live trading on BSE. Currently this data is available deferred live if you use a non-IE browser. The merchants I spoke to are un-willing to support live trading on a Linux platform, partly because the share traders and banks are so used to IE that they dont support any neutral standards or system platforms.
The European Union's Internet accessibility laws are pretty strongly enforced and India should also have such laws. RBI, http://www.rbi.org.in, has a list of all the circulars sent to all Indian banks under its jurisdiction, including small branches which as per law are required to publicly display rules and regulations in B&W on a notice board within their offices. Maybe a PIL on behalf of the Persons With Disabilities Act will get browser neutral compatibility standards enforced across the board in India.: Now the Reserve Bank of India has made it mandatory to have an extra level of authentication called VBV (Verified by Visa) or MSC (Master Card Secure Code) password. This password is required to use while you are making an online transaction. All customers are requested to visit your respective card issuing bank’s website or VISA/MASTER sites and register your card for Verified by Visa or Master Card Secure Code to get your password.
For VISA Credit Card registration process, click on the following link
For MASTER Credit Card registration process, click on the following link