॥ स्वक्ष ॥

To content | To menu | To search

Tag - HDFC-Bank

Entries feed - Comments feed

2009 November 4 [Wednesday]

Online banking and browser neutral accessibility standards

Online Internet banking and financial transactions on most Indian bank websites is jinxed because every bank out there (atleast the ones I use) insist on paying their IT vendors to develop software that does not run properly on a Linux platform.

Their websites will display webpages on FF but verification of online transactions and shares trading will be supported only on IE.  For the last few days, I've been trying to access the BOB site to change the password for netbanking but it keeps throwing a "JavaScript Disabled in Browser" error.

Nope, this problem is not restricted to yet another "government bank", private banks are no better.

The HDFC website is also FF friendly and renders well but try verifying credit cards for online purchase. Earlier the Netsafe/Verified by Visa/ MasterCard SecureCode pop-up screen used to return a "your browser is not IE....." message but now it gleefully crashes FF in a very customer friendly way!

After a whole week of running around between branches and complaining online and talking to divisional heads... the status quo remains. Frustrated, I used IE and voila, everything just works. Ughh!!

Supporting transactions for non-IE browsers is almost non-existent and talking about standards with the bank staff will get the standard response "yahan sab log Windows use karte hain (here everyone uses Windows)". That is the managers cue to me : "Yo customer, I dont care about your problem so end this Linux conversation". Asking to speak to the technical folks will not materialise --see they would not speak to lesser denizens like me, their customers.

Yet another private bank, ICICI does not think a second layer of security verification for credit card transactions online is important. Simply using a https server is not good enough. A second layer of security for each transaction should be mandatory. Ideally before approving an online transaction the merchant website should redirect to a Visa or Mastercard verification page (via your bank) which will ask you to verify with the CCV pin#, email id, password, etc... (exact procedure differs slightly from bank to bank) for EACH transaction. Currently ICICI simply approves the transaction which is a security lapse on the banks part because someone can memorize the card number, the expiry date, $name and simply flip over your card to read the 3-digit CCV overleaf and voila, you just gave a stranger access to your money!

While we were in Delhi, a restaurant printed the name, the 16-digit CC number (in all its glory) with expiry date on the POS receipt. So sans the second layer verification from Visa/MC, anyone with access to the merchants copy of the CC payment receipt can misuse the card online. All s/he has to do is memorize the 3-digit CCV number on the back of your card. _That_ is a BIG security hole. I didnt bring this to the merchants attention as I didnt want to alert them to a possible route to a financial fraud. 

Now, if ICICI had a II-layer verification, for the online transaction to be approved the fraudster would need to know your email id, password, answer to your security question, etc.. before they can (mis)use your card online. This II-layer verification (besides the IP verification, etc)) will help to narrow down the culprit(s) to: 1) an internal source who has access to your bank records, OR 2) social engineering, where you gave the details to your confidant/relative/friend/family and it was (mis)used sans your permission.

I suspect that the second layer verification is provided by  Visa/Mastercard  only to those banks that pay them for this service and I've experimented with multiple cards for the _same merchant_ and ICICI is still approving the online transaction sans the second verification layer. Now, if a second layer security feature service provided by VISA and MasterCard is being withheld by not informing and not providing the service to the customer, then it is a security lapse on the banks part. 

The other scary bit with online banking with some Indian merchants is the practice of auto-debiting your Credit Card  for annual subscriptions. If I want to re-sub to your service, I will.  I would prefer the merchant sending me a email notice instead of directly debiting my card without my approval or request. This tells me that the merchant is storing my Card details, without my knowledge and permission, which is not good security practice and most likely I will not use their service again.

Another problem area is the live trading on BSE. Currently this data is available deferred live if you use a non-IE browser. The merchants I spoke to are un-willing to support live trading on a Linux platform, partly because the share traders and banks are so used to IE that they dont support any neutral standards or system platforms.

The European Union's Internet accessibility laws are pretty strongly enforced and India should also have such laws. RBI, http://www.rbi.org.in, has a list of all the circulars sent to all Indian banks under its jurisdiction, including small branches which as per law are required to publicly display rules and regulations in B&W on a notice board within their offices. Maybe a PIL on behalf of the Persons With Disabilities Act will get browser neutral compatibility standards enforced across the board in India.

UPDATE: Now the Reserve Bank of India has made it mandatory to have an extra level of authentication called VBV (Verified by Visa) or MSC (Master Card Secure Code) password. This password is required to use while you are making an online transaction. All customers are requested to visit your respective card issuing bank’s website or VISA/MASTER sites and register your card for Verified by Visa or Master Card Secure Code to get your password.

For VISA Credit Card registration process, click on the following link
http://www.visa-asia.com/ap/sea/cardholders/security/activate.jsp

For MASTER Credit Card registration process, click on the following link
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/sign_up.html

2007 October 25 [Thursday]

CreditCard fraud in the making

It all started...

More than a month ago, when I had filled an HDFC bank credit card application form i got a verification call within 3-4 days from the outsourced agency handling the bank's credit card processing. The caller took a lot of personal information and something about his questions made me suspicious and I asked him his name. He took offence to that and said "You are not supposed to ask questions, only I can ask" followed by "Do you want the card or not? I can reject your application now." (those were his exact words). Alarm bells rang in my head at his outburst but keeping my cool I asked him (yet again) for his name and if he was really a bank employee as he had taken sensitive private infoormation during the phone call and his reaction made me suspect whether he was an actual bank employee. Then he became more rude and threatened to reject the application, so I asked for the call to be escalated to the Bank manager and he and his colleague (he was repeating what I said to his colleague) started laughing. When I insisted he give his name he gave me a false name (as I came to know later), mumbled something about the Manager not being available and disconnected the call.


The harassment begins ...

Two or three days later I get a call from a HDFC bank employee(?) again asking me for my residence address which I gave. When he said he will send a person to collect a photocopy of my salary slip, pan card, photo and other documentation for a credit card, I told him NO, as that was already given with the first application so why did he need them again. Then he changed the track and said it was for a fresh credit card application, which I refused as I had applied once and didnt need 2 credit cards from HDFC bank.

Very often I would get a call from different numbers claiming to be the callcentre of HDFC bank asking if I wanted a credit card? Each time I would decline but I was getting suspicious since the calls were from different numbers and the caller had a standard, -- I am a bank employee and will send person to your house, keep docu's ready -- line. His overeagerness to collect documentation proof told me something was amiss, despite my repeating that one card was enough.


Clueless HDFC Bank...

I was busy and had forgotten all about the application, by which time 3 weeks had passed so I decided to go to the bank to check on things, where I was told that the application was declined (but they didnt know how) and I could re-apply only after 6 months. I explained the incidents with the verification call and wanted to know on what basis the application was declined but the manager said that he could not access that information. I find that totally unacceptable, as that meant that an HDFC bank employee had less powers (cant even get access to data) than an outsourced employee who could reject applications on a whim, be vindictive and rude and harass a customer privately. While I was talking to the Manager, two other customers came up and said how they had been harassed by the credit card division and had to make payments for no fault of theirs. Most people are so thrilled about owning a plastic, want to flaunt their credit card that they dont read or see the fine print, dont ask uncomfortable questions and later end up in trouble, paying interest rates as high as between 35-55%.


Glaring security issues ...

Well strange things were about to happen, as I learnt later when by chance I met another employee and mentioned this harassment. They connected me to their QA person who was very helpful especially when I explained the glaring loopholes in the security. A little later they confirmed what I already knew, that my application was rejected, but strangely the order for verification process which is initiated by the bank was not initiated by the bank.

What the heck ......?

0] So how did my application reach the hands of the verification caller if the bank did not initiate /act on the application?

1] They checked and found that the number the first caller had called me from belongs to some government office. Hmm... so much for security of your sensitive data ...and my suspicions were right all along :-/

2] According to the bank only the bank employee has a right to do verification for credit-cards... then how did I get a call from a person who claimed to be a bank employee but they say Mr.XYZ does not work there. Now this HDFC employee has access to my personal information, had powers to reject it, be vindictive, call me at odd times later asking me to apply for more cards, and all this without an application following due procedure and not being sent for verification.

3] Even if a credit card is issued in future, the person indulging in this fraud can easily gain access to the credit card number and misuse it, simply due to the privileged employee (insider) status he enjoys.

In sum, I for one will not trust credit card division of the bank as

- they have no control over their own/outsourced employees,
- are not proactive about customer complaints and grievances,
- are utterly clueless and careless about existing and potential security loopholes,
- seem to take financial fraud lightly and totally reluctant to take action and/or preventive measures.