What RBI needs to do to save senior citizens from cyber crimes
RBI needs to force banks to take some serious action to stop the widespread frauds being perpetrated on senior citizens.
Even though I normally write only about investments, I’m going to address a different financial issue today—bank account security. The number of times one hears about senior citizens becoming victims of digital robberies is phenomenal. Even within one’s close circle, hardly a month goes by when one does not hear of an older person getting a few calls asking for OTPs and then finding that there were Netbanking transactions from their accounts. The transactions are generally for something that is easily encashable or sellable. What’s bothering me about the whole business is that banks are not taking the obvious steps that could drastically reduce such fraud.
From anecdotal evidence, this particular kind of robbery, where the elderly are targeted by phone calls that ask for OTP, is the dominant form of digital crime in India. Yet, it’s hard to come by any evidence to show that banks (or the banking regulator) are serious about stopping it. Banks talk a lot about people giving away OTPs. Once you give away the OTP then the liability is entirely yours. The strange thing is that there is little public discussion or information around what happens before the transaction reaches the OTP stage. Where did the criminal get the rest of the details like the card number and the CVV number?
I personally know of cases where the aged victims have never used the card anywhere except at the local ATM. They do not even know how to do online transactions. Yet the cards were used in a completely different, far away part of the country for online transactions! It’s highly likely that the card numbers and the CVV were leaked from the bank, but the bank is focussed on the OTP alone. Any effort to solve this crime and reduce similar crimes should start from the root cause, which is the leakage of card data.
Meanwhile, we have had a huge song and dance about replacing every card in the country with a chip card. However, the only crime the chip stops is of card skimming and counterfeiting, which is a more exotic kind of activity and needs some specialised equipment and technical skills to carry out. Chip cards are basically adding to someone’s revenue while the simple cottage industry of sweet-talking old men and women out of OTPs is flourishing.
The sad thing is that there are simple measures, most of which are implemented in other parts of the world, which can reduce such fraud.
One: Banks should have ‘tracer’ card numbers with dummy customer details in their internal databases. If any fraudulent transactions are ever attempted on such cards then the bank would know that there has been an internal leak. To pinpoint leakages in time, some numbers should be regularly (as in daily) deleted and others added to the database.
Two: OTPs should be linked to specific transaction attempts, rather than be blanket permissions valid for a certain time period. The SMS should specify the transaction and the attempt. It should say something like ‘Use OTP 725383 for purchase of Rs 42,343 at online store.’ This OTP should be valid only for that amount and at that merchant. This will help the victim smell a rat and not give out the OTP.
Three: Geo-location of online access is a solved problem and almost every professional website uses it for something or the other. If banks are interested in preventing crime, they can further enhance the SMS message by using the location from which the OTP page is accessed. The above SMS message can then be enhanced to something like ‘Use OTP 725383 for purchase of Rs 42,343 by customer in Asansol, West Bengal.’
Four: Banks can implement dual or split OTPs for higher value transactions by older customers. A older customer would give a second phone number, perhaps of a younger family member. For transactions above a certain amount, half the OTP would go to one number and half to the other. This would make the criminal’s task much more difficult.
There are many more things that can be done. Obviously, none of them are perfect and total solutions and yet would drastically reduce such crimes, saving senior citizens from losses and stress.
Will Indian banks do these things? Well, if they were going to do so voluntarily then they would already have done so. After all, none of this is rocket science and all have been done by banks and other organisations elsewhere in the world. So the ball is actually squarely in the regulator’s court. If the RBI wants to help save senior citizens from financial crime, then it has to force banks to the path of less talk and more action.
(The writer is CEO, Value Research)