Tips for safe Net transactions


    The whole process that normally takes less than 10 minutes could go on for 20 minutes. It becomes almost a memory test, you have to remember the password, and things like your mother’s maiden name, your birth date, address Pincode.

    It could be irritating, but all of this is being done today to ensure that your funds are safe, and you have nothing to worry about when you conduct transactions online.

    It’s part of a move to make online security more dynamic. Apart from the customer Id and one time password, companies are trying to bring in more levels of complexity so that hackers cannot get into the system.

    Security service providers today offer a variety of such solutions.

    Smart cards and tokens

    One of these involves issuing a smart card or token which has changing numbers in them. When a user logs into his bank or brokerage website, he will be asked to fill in not just his password but also the additional number given in the token.

    The token number is a set of 7 to 8 digits that changes every 30 or 60 seconds.

    It’s based on an algorithm that does not repeat a number for almost eighteen years, and the algorithm in the token is coordinated with an exact same one linked to your online bank account.

    As soon as the user fills in the token number, the server will cross check that with the one linked to the account and authenticate the user only if the two are identical.

    Dynamic passwords

    “A manual or static system is easy to hack into. But when the system gives a dynamic password each time and is a time controlled device, then it is tough to hack,” says Arthur Coviello, CEO of RSA (the security division of EMC).

    The use of tokens for high net worth clients is on the rise. But it’s also getting into mass usage. RSA is shipping 400,000 of such tokens to the Bank of China every month.

    “One of our customers, Bajaj Capital in Delhi, has about 150,000 customers. They are issuing tokens for users who do internet trading and even have an additional code requirement for doing any transaction,” says Amuleek Bijral, country manager (India) for RSA.

    Authentication process

    Rajiv Chadha, VP for sales in VeriSign, says banks, and many others, are increasingly becoming aware of the need for a second factor authentication.

    So much so that in some countries like Brazil, it’s creating a problem of excess.

    “A customer in Brazil wears about 5 tokens around his neck - two for bank access (different accounts), one for his office authorisation, and two for access to other niche applications. Now the banking authority is looking at creating one common token standard to make life simpler for consumers,” says Chadha.

    Monitor user behaviour

    Another dynamic security solution involves keeping an active account of user behaviour and taking action accordingly.

    Thus, the system will note the IP address from which you normally log in to the account, the nature of activities you normally conduct with the bank, the browser you use and the version of it, and even may be the resolution of your monitor.

    If there is a significant deviation from any of these, the software could be programmed to take action in some form. “When I was traveling to Italy and wanted to transfer money to my daughter in the UK, the system did not allow my request to be processed,” says Coviello.

    “So then I had to call up the bank, answer some questions and only after that was I allowed to transfer the money.”

    Tracking user behaviour

    But it needn’t be a complete stoppage of a transaction.

    If the transfer amount involved is small, the system could ask you to answer a set of questions that only you can be reasonably expected to know. And if you get that right, the transaction can be completed.

    “Inspite of being expensive and time consuming, banks are now monitoring user behaviour. Any deviation is noticed and is questioned. These additional mechanisms for fraud detection instill more confidence in customers,” says Chadha.

    Rise in malicious attacks

    Companies also face the issue of malicious codes created by hackers looking to access user accounts and get financial information.

    Malicious attacks are growing in volume, are getting sophisticated and newer forms are emerging all the time.

    So banks spend a lot of effort trying to protect themselves from such activities.

    “To tackle that, along with a black list, we are also creating a white list and a reputation-based security system,” says Vishal Dhupar, MD of Symantec India.

    The white list database

    The white list is a huge database identifying popular, legitimate programmes and allowing them to run unhindered.

    The reputation-based software rating system is said to be able to accurately categorise less popular legitimate and malicious files.

    The approach assumes three distinct populations in Symantec’s user base - one that’s ultra-safe (downloading applications only from reputable software companies), another that’s adventurous (generally safe, but occasionally try out new programs or unsafe websites) and the third that’s completely unsafe (frequently accessing websites that can easily infect them).

    Tackling malicious files

    And the classification is done by looking at the history of infections on the users’ machines. When a new program is detected, Symantec’s new approach entails looking at where the program is found.

    If a large number of the ‘safe’ machines have it, then it would be classified as a safe program. But if it’s found only in the ‘unsafe’ machines and a few of the adventurous ones, it would be classified as ‘unsafe’ and you would be warned.

    Symantec also has its DeepSight information services, a global intelligence network that provides upto-the-minute view of security threats, by capturing and processing security data for organisations.

    These information services deliver trend analyses and security incidents data to organisations, which enables them to take proper measures and defend themselves against threats.

    Cyber crime on the rise

    The need for more sophisticated security measures are arising from the fact that cyber crime is on the rise. There was a time when hackers hacked for fun. Increasingly, they are doing it for financial gains.

    “A week ago a friend of mine saw an entry in her bank statement that indicated she had bought an air ticket for Rs 10,000 which she had not,” says Vijay Mukhi, a member of the advisory board on cyber security of the Indian government.

    “When she contacted the bank, they told her to register an FIR. At the police station, citing jurisdiction issues, they did not register the FIR. She still has no idea what to do.” The onus here lies with the banks, he says.

    “The police and the banks have to work together and also frame appropriate polices. Also banks need to come out, file cases of theft and get a few people jailed to set an example and get back customer confidence,” adds Mukhi.

    The need for security

    Capt Raghu Raman, CEO of Mahindra Special Services Group, says financial institutions in India are recognising the need for greater security.

    “They have tokens or might ask you to give in some digits of your debit card or the card will have its own number grid at the back which they might ask for. Some stock brokers are registering the machine that you access the account from. Without the same machine number, no person will be able to log onto the system,” he says.

    But won’t hackers find ways to crack these newer systems? Maybe. But, as Coviello says, if somebody deploys these systems, hackers are likely to first look elsewhere (to those who haven’t deployed them).