02 May 2017 17:40 IST

Are banks overusing password rules?

Here are a few ways you can beat technology headaches using technology

If your bank has not warned you yet that your login password is about to expire and that you have to change it now, just wait. The ominous threat is coming your way soon.

And because transaction passwords often do not expire on the same date as the login one — banks have different rules for login and transaction passwords — that warning will hit you soon as well.

Tightening the rules

No one knows exactly why, but all major Indian banks seem to be tightening the rules regarding banking passwords.

One reason could be that they use Finacle, a product which Infosys feels pressured to keep ultra safe worldwide, and therefore enhances its security with new rules. When Indian banks upgrade their systems, the requirement of a new password is also transferred to the customers.

It is not that we do not need to have our bank accounts secure. Of course we do. But in the proverbial ‘cost-benefit analysis’ of tightening security, it is possible that banks have already crossed the line into increasing marginal costs while not exactly realising the same marginal benefit.

Online banking in India

Indian internet banking is already one of the world’s most secure. Customers can only sign up for internet banking at their branch and only if their ‘Know Your Customer’ (KYC) profile is already updated.

The login and password information arrive at the place of record in two separate envelopes by courier. Once the customer logs in, he can only view transactions. Another trip to the branch is sometimes required to open up other areas of internet banking, like standing instruction features.

Core banking typically utilises three passwords: login, transaction, and profile. Beneficiaries can only be set up using a fourth password, the OTP. The One Time Password, which in the technology industry is called two-factor authentication (2FA), has been the pillar of modern Indian banking.

Rock solid shield

The idea is that customers protect their accounts with something they know (passwords) and something they have (their mobile phone, which receives the OTP). And even then, beneficiaries are active only after a cooling off period, which can sometimes be as long as five days.

Email and SMS notifications about the new beneficiary are repeatedly sent so that customers are in the know. To further prevent fraud, banks limit the amount of money that can be transferred to a new beneficiary.

This security shield is rock solid. Attempts to hack into an account are not likely to succeed. For one thing, bank accounts are locked forever if a customer keys in the wrong combination of username and password. Unlocking often requires a visit to a branch and going through the elaborate set-up process for internet banking all over again, including getting passwords by courier and so on.

Resetting passwords: Some banks allow customers an online reset of passwords but many challenging questions have to be answered first — like the ATM/debit card number, the PIN, one of the last five transactions, and its nature (debit/credit). Even if an intruder had all of this information and was forcing to change a customer’s password, he would fail in the OTP step, which is required even to request a password reset.

Kudos to Finacle’s architects for creating a Fort Knox-like security environment for our banks. So what is the need for customers to have to change their login and transaction passwords as regularly as once in six months?

Is it worth the inconvenience?

Being obsessed with security to the point where customer convenience is compromised, is actually rather silly. Most banking customers have accounts in multiple banks. Password rules are not the same for them all — while some banks require special characters, others require at least one uppercase alphabet and one number. So it is bad enough that customers have to remember all of these passwords as things are. And to force a password change at each bank will only cause enormous anxiety to the customers!

Banks will maintain, with a halo, that they are doing all of this to protect fraud and improve security. True, but when their business processes place an unwelcome burden on customers, it is time for them to look inward and assess if there are better ways to do the same.

Indian banks have borrowed a lot from the big technology companies. But Google, FB, Twitter, Microsoft or Apple do not require customers to frequently change their passwords. I have not changed my Google account password in nearly six years because I rely on the company’s state-of-the-art authenticator app for 2FA to protect my accounts. The app instantly returns an OTP which I key into the accounts page, and I am done. I don’t even have to be online for this step.

The New York Times reported last year that some of US’ largest banks, acknowledging that traditional passwords are either too cumbersome or no longer secure, are increasingly using fingerprints, facial scans and other types of biometrics to safeguard accounts. Security is a problem with US banks because none of the safeguards which currently exist at Indian banks are mandated.

But knowing how stubborn India’s banks are, we may have to just shrug our shoulders and accept this new diktat of frequent password changes with a smile. So how do we do this?

Dealing with changes

~ Do not attempt to access your bank accounts from a non-trusted computer. Always use your computer at home or at work.

~ Try using a password manager. There are some excellent free ones available, so you can outsource this onerous task to an algorithm.

~ Or use a cloud file — like a Google Docs spreadsheet — to document your passwords. Since your Google Docs is 2FA protected, there’s little chance that it will be hacked. In the password sheet, use a base password, preferably alphanumerical, that you alone know, and call it “base”.

Use the same base password across all banks but do not type it into your Google Docs password sheet. To the end of this password, add today’s system date with a couple of special characters to create your operational password. For example, “base&-300417”.

So, when the bank prompts you in six months’ time to create a new password, say on October 30, change your password to “base&-301017”, where everything except the 2 digit month, is the same.

Because different banks warn you on different days of the year, each password will be unique. This approach is secure because even if someone hacks into your Google account, they don’t know what the word base means.

In other words, beat technology headaches using technology, one headache at a time.

Recommended for you